HP LaserJet, HP PageWide - Secure by Default Initiative (white paper)
6 
When enabled the CSRF feature prevents sending commands to the device through the EWS configuration interface 
without first having initiated a EWS session, which establishes the CSRF Token. This method is referred to as “web 
scraping” as the commands are captured and replayed to configure device settings through scripting. 
This feature is enabled by default. It can be disabled if required. 
EWS Setting Configuration Path: 
Security Tab -> General Security 
Figure 7: Cross-Site Request Forgery (CSRF) Protection in the Embedded Web Server (EWS) 
Note: See Appendix A – Print Solution and Fleet tool Impacts for effects on device solutions and fleet management 
tools. 
Please see Preventing Cross Site Request Forgery (CSRF) Attack using CSRF-Tokens on HP Printing Devices for more 
information. 
Administrator Password Complexity and Minimum Length 
The administrator password complexity feature requires complex passwords requiring 3 of the 4 following categories:  
•  Upper case characters 
•  Lower case characters 
•  Numbers 
•  Special characters 
The minimum password length feature requires an administrative password between 1- 16 characters long. The default 
setting is 8 characters. A Zero (0) minimum password length disables the minimum password length feature.  
This feature is enabled by default. It can be disabled if required. 
Account Lockout 
The Account lockout feature protects the device administrative accounts by providing safeguards to prevent brute force 
hacking attempts. After a set number of failed authentication attempts the system prevents further authentication 
attempts for a specific interval. 
The account lock feature applies to the following passwords: 
•  EWS password 
•  Remote configuration password 
•  SNMPv3 authentication and privacy passphrases 
This feature is enabled by default. It can be disabled if required. 










