Index | Prev | Next

Http Header Providers (web-HttpHeaderProviders)

These headers pass additional information with an HTTP request or response between client and server. This information ensures the authenticity of the messages providing security against click-jacking and other threats. This component contains four headers that you may customize as needed. To ensure the most robust security, leave all headers enabled. To turn off a header, if necessary, set its Enabled property to false.

For complete details on headers, see the MDN web docs site (https://developer.mozilla.org/en-US/docs/Web/API/Headers).

Figure 220.   Http Header Providers properties
Image

To access these properties, expand Services > WebServices and double-click Http Header Providers.

In addition to the standard property, Enabled, these properties configure header providers.

Property Value Description
Content-Security-Policy additional properties Notifies the browser what restrictions should be put on images, JavaScript, or CSS, in response to a request for resources.

“Csp Header Provider (web-CspHeaderProvider)” documents the additional properties.
X-Content-Type-Options drop-down list (defaults to nosniff) Indicates to browsers that they should apply additional restrictions to auto-detect content types in downloaded files.

For best security, nosniff is the recommended value.

X Frame Options drop-down list (defaults to Sameorigin) Indicates if a browser should be allowed to render pages served by your station in a <frame> or <iframe> of another site. Use it to avoid click-jacking attacks.

Sameorigin allows the browser to embed other pages from within the same station. This is considered a safe practice and is necessary for the correct functioning of the HTML5 Hx Profile.

Deny prevents the browser from loading the page in a frame.

 NOTE: Deny inhibits the display of some typical HTML5 Hx Profile views. 

Any may cause a Cross-Frame Scripting (XFS) or click-jacking vulnerability and is not recommended. If an external site needs to embed your station’s web interface, configure a "frame-ancestors" directive under Content-Security-Policy.

X-XSS-Protection text (defaults to 1; mode=block) Ensures that, if an XSS attack is detected, the browser prevents the page from loading. 1; mode=block is the recommended value.

Related Links

  • WebService (web-WebService) (Parent Topic)

    • Index | Prev | Next