Knowledgebase
Knowledgebase: PaperCut > Security and Privacy
Security Settings for PaperCut's Web Server
Last modified on 11 June 2012 01:07 PM

PaperCut uses an embedded web server called Jetty. Although the out-of-the box security related settings should suit most sites, in some situations there site-specific options that may improve security. For general security related questions be sure to see Common Security Questions and [Security|+]].

Q: Can I use/install my own SSL certificate?

Yes, see the user manual section , which includes instructions for both generating a new SSL certificate and installing an existing SSL certificate.

Q: I use a NAT, and I can forge/create an HTTP request that exposes PaperCut's "internal" IP address. How can I prevent this?

(This question also applies to security audit software that may report something like "Web Server HTTP Header Internal IP Disclosure")

PaperCut's web server requires the ability to redirect users to new pages. When performing a redirect, the target location is based on the Host header that the web browser requested. If the host header is omitted (e.g. by manually crafting an HTTP request), the target location is based on the server's own hostname or IP address. In a NAT environment this may not be ideal if the server's IP address is considered private.

As of PaperCut version 11.3, the web server may be "forced" to redirect to a defined host name. If this option is used, it is important that all users access PaperCut via this defined host name, and that this host name is accessible to all users. To enable this option:

1. Open [app-path]/server/server.properties in a text editor.
2. Add the line:

server.force-host-header=printing.uni.edu

where printing.uni.edu is the fully qualified host name that all users will access PaperCut on.
3. Restart the service PaperCut Application Server
4. Test access to the web interface (using both HTTP and HTTPS if applicable).