HTTP Headers

We recommend using the following additional security headers. Mostly it makes most sense to configure such headers in your Reverse Proxy. However, we also give you the possibility to configure them inside of the embedded Web Server via the WebServer.HttpHeaders key in the ivy.yaml. You can also add more headers than the ones we list below.

Warning

If you want to define the headers Strict-Transport-Security, X-Frame-Options or X-Content-Type-Options via the ivy.yaml make sure that you remove the HttpHeaderSecurityFilter from your web.xml configuration. Otherwise they will maybe not be applied as expected as response headers.

  • Strict-Transport-Security (HSTS): Set this header if the Engine is to be accessed via HTTPS only. For more information, see: Strict-Transport-Security (MDN).

  • Content-Security-Policy (CSP): Set this header if you want to reduce the risk of having an exploitable Cross-site scripting (XSS) vulnerability. With a Content-Security-Policy, you can define from which locations external resources can be loaded and if scripts embedded in HTML can be executed. For more information, see: Content Security Policy (MDN). If you use the WebServer.PrimeFaces.ContentSecurityPolicy configuration in the ivy.yaml, we use the CSP functionality from PrimeFaces.

  • X-Frame-Options: We set this header per default with SAMEORIGIN as we use iFrames. For more information, see: X-Frame-Options (MDN).

  • X-Content-Type-Options: We set this header per default with nosniff. For more information, see: X-Content-Type-Options (MDN).

  • Referrer-Policy: We set this header per default with strict-origin-when-cross-origin. For more information, see: Referrer-Policy (MDN)

  • Cross-Origin-Opener-Policy (COOP): Set this header to restrict the browser context. For more information, see: Cross-Origin-Opener-Policy (MDN).

  • Cross-Origin-Embedder-Policy (COEP): Set this header to restrict the browser from loading and embedding cross-origin resources. For more information, see: Cross-Origin-Embedder-Policy (MDN).

  • Cross-Origin-Resource-Policy (CORP): Set this header to indicate that the browser should block cross-origin or cross-site requests to the given resource. For more information, see: Cross-Origin-Resource-Policy (MDN).