Configure security policies and HTTP response headers

SecureTransport allows you to configure HTTP response headers separately for the Administration Tool server and the (end-user's) HTTP server. Those headers are set by using dedicated configuration options in the Server Configuration.

Note Changing the value of a configuration option for the Administration Tool server requires Admin service restart to take effect. Changing the value of a configuration option for an HTTP server requires HTTP server restart to take effect.

Content-Security-Policy

This header defines content sources that are approved, permitting the browser to load them. You can configure Content-Security-Policy by editing the following parameters:

  • Admin.Security.ContentSecurityPolicy
  • Http.Security.ContentSecurityPolicy

Possible values for both configuration options:

  • default-src 'self' – The default policy for loading content such as JavaScript, images, CSS, fonts, etc.
  • style-src 'self' 'unsafe-inline' – Specifies the current origin as a valid source for stylesheets and allows inline styles.
  • script-src 'self' 'unsafe-eval' 'unsafe-inline'– Specifies valid sources for JavaScript: authorizes the execution of JavaScript from the current origin, allows text-to-JavaScript mechanisms like eval and inline JavaScript and CSS.

Strict-Transport-Security (HSTS)

This header forces the browser to use secure connections when a site is running over HTTPS. You can configure the Strict-Transport-Security header by editing the following parameters:

  • Admin.Security.Hsts.enabled – enables/disables HSTS for the Administration Tool server. Boolean, the default is true.
  • Admin.Security.Hsts.max-age – specifies the max-age directive in the HSTS header for the Administration Tool server, in seconds. The default is 15768000 (6 months).
  • Http.Security.Hsts.enabled – shows whether HSTS is enabled for the HTTP Server or not. The value of this configuration option depends on the selection of the Enable HSTS checkbox in Operations->Server Control. Boolean, the default is true which means that HSTS is enabled and an HSTS response will always be sent, redirecting the plain HTTP connection to HTTPS.
  • Http.Security.Hsts.max-age – specifies the max-age directive in the HSTS header for HTTP server, in seconds. The default is 15768000 (6 months).

X-XSS-Protection

According to how this header is set, the browser will either remove the script or stop the page from being rendered in case a cross-site scripting attack is detected. You can configure the X-XSS-Protection header by editing the following server configuration options:

  • Admin.Security.XSSProtection
  • Http.Security.XSSProtection

Possible values:

  • 0 – Disables the XSS filtering.
  • 1 – Enables the XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
  • 1; mode=block – Enables XSS filtering. Instead of sanitizing, the browser will prevent rendering of the page if an attack is detected.
  • 1; report=<report-uri> – Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation using the CSP report-uri directive.

X-Frame-Options

This header provides clickjacking protection by not allowing rendering of a page in an iFrame. You can configure X-Frame-Options by editing the Admin.Security.FrameOptions configuration option.

Possible values:

  • deny– The page cannot be displayed within an iFrame.
  • sameorigin– The page can only be displayed in an iFrame on the same origin as the page itself.

X-Content-type-options

Setting the X-Content-Type-Options header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This header only has one valid value, nosniff, which can be configured by editing the Http.Security.ContentTypeOptions configuration option.

Server

The Server header may expose information like your server platform and software. You can remove or limit the content of the header by editing the following server configuration options:

  • Admin.ServerHeaderTokens
  • Http.ServerHeaderTokens

Possible values:

  • Full– Default; The header field shows the product name, build number, and the operating system (with the result being, for example, Server: SecureTransport 5.4 (build: 1111) - Linux).
  • Prod– The header field shows the product name, SecureTransport.
  • OS– The header field shows the operating system on which SecureTransport is running (with the result being, for example, Server: Linux)
  • None– Depending on the Jetty version, the Server header is not displayed or its field is empty.

Cache-Control

You can define response caching policies for the Administration Tool server by editing the Admin.ControlCaching server configuration option.

Possible values:

  • true– Default; The request cashing is enabled.
  • false– The Cache-Control directive is set to no-cache, no-store on all static and non-static requests.
Note When requests are not being cached, performance degradation may occur.

Related Links