Http Header Providers view

These headers pass additional information with an HTTP request or response between client and server. This information ensures the authenticity of the messages providing security against click-jacking and other threats. This component contains four headers that you may customize as needed. To ensure the most robust security, leave all headers enabled. To turn off a header, if necessary, set its Enabled property to false.

Figure 344. Http Header Providers view

To access these properties navigate to System SetupMiscellaneous > Http Header Providers.

Property	Value	Description
Enabled	check box (defaults to `false`)	Turns on (`true`) and off (`false`) the use of Http Header Providers. Disable the check box (`false`) if your cameras do not support secure communication or your cameras are not loading on the browser.
Content-Security-Policy	additional properties	Notifies the browser what restrictions should be put on images, JavaScript, or CSS, in response to a request for resources. Refer to Content-Security-Policy.
X-Content-Type-Options	drop-down list (defaults to `nosniff`)	Indicates to browsers that they should apply additional restrictions to auto-detect content types in downloaded files. For best security, `nosniff` is the recommended value.
X Frame Options	drop-down list (defaults to `Sameorigin`)	Indicates if a browser should be allowed to render pages served by your station in a <frame> or <iframe> of another site. Use it to avoid click-jacking attacks. `Sameorigin` allows the browser to embed other pages from within the same station. This is considered a safe practice and is necessary for the correct functioning of the HTML5 Hx Profile. `Deny` prevents the browser from loading the page in a frame. NOTE: `Deny` inhibits the display of some typical HTML5 Hx Profile views. `Any` may cause a Cross-Frame Scripting (XFS) or click-jacking vulnerability and is not recommended. If an external site needs to embed your station’s web interface, configure a "frame-ancestors" directive under `Content-Security-Policy`.
X-XSS-Protection	text (defaults to 1; mode=block)	Ensures that, if an XSS attack is detected, the browser prevents the page from loading. 1; mode=block is the recommended value.

Content-Security-Policy

The default values for this header have been customized for typical usage with HTML5 Hx Profiles. Additional sources may be added to these directives, but removing any of the default sources may cause your views to stop working.

Figure 345. Content-Security-Policy properties

The screen capture shows a Workbench Property Sheet. To view this Property Sheet, connect to the station using Workbench, expand Station > Config > Services > WebService > Http Header Providers > Content-Secuirty-Policy.

To view the same properties in the web UI, navigate to System SetupMiscellaneous > Http Header Providers and expand Content-Secuirty-Policy.

NOTE: The host workbench in the properties above allows HTML views, such as Web Chart to correctly function in Workbench and should not be removed under normal circumstances.

In addition to the standard properties (Enabled and Status), these properties are unique to this component.

Property	Value	Description
Violation Text	text	Creates the text to display when a browser reports a Content-Security-Policy violation to a station, which logs it in the web.reporting.csp log. The station logs the first violation with SEVERE priority, and subsequent violations as FINE. NOTE: A Content-Security-Policy violation should not typically occur during normal usage of the system. If you receive one, consider whether your Content-Security-Policy configuration should be changed to match browser behavior or if the violation represents an attempted XSS attack.
child-src	text	Defines the valid sources for web workers and nested browsing contexts loaded using elements, such as <frame> or <iframe>.
connect-src	text (defaults to 'self' workbench ws://%hostname%:%port% wss://%hostname%:%port%)	Restricts the URLs that can be loaded using script interfaces. You can set up a template so that all Content-Security-Policy directives reference the %scheme%, %hostname%, and %port% from the originating HTTP request. NOTE: When viewing HTML views in Workbench, this request is made to Workbench. Content-Security-Policy headers include this by default. Removing it may cause HTML views to stop working in Workbench.
default-src	text (defaults to 'self' workbench)	Serves as a fallback for the other fetch directives.
frame-src	text	Specifies valid sources for nested browsing contexts loading using elements such as <frame> or <iframe>.
font-src	text	Specifies valid sources for fonts loaded using @font face.
img-src	text (defaults to 'self' workbench data:)	Specifies valid sources of images and favicons.
manifest-src	text	Specifies valid sources of application manifest files.
media-src	text	Specifies valid sources for loading media using the <audio>, <video> and <track> elements.
object-src	text	Specifies valid sources for the <object>, <embed>, and <applet> elements.
report-uri	text (defaults to /csp-reports)	Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
script-src	text (defaults to 'self' workbench 'unsafe-inline' 'unsafe-eval')	Specifies valid sources for JavaScript. To perform various functions with Asure ID, such as template discovery, template data discovery and badge printing, you must add the Asure ID port number in this property. The syntax for the port number is: http://localhost:number where number is the Asure ID port number. For example: 'self' workbench 'unsafe-inline' http://localhost:3001
style-src	text (defaults to 'self' workbench 'unsafe-inline')	Specifies valid sources for stylesheets.
Additional Directives	text	Provides a location to enter any Content-Security-Policy directives not covered by the other properties on this component.

NOTE: The Security Dashboard provides information about the HTTP Header configuration and whether there is any performance degradation. It provides notification for any non-secure headers and explains why the settings are not secure. To secure the header's settings, set the values as described in the Web Service view.