1. Security Guide
  2. Adding Custom HTTP Headers to Responses from Siebel

Adding Custom HTTP Headers to Responses from Siebel

This topic explains how to configure Siebel (v26.5 and later) to add or modify custom HTTP response headers by updating the GenericHeadersFilter in the Siebel web.xml.

Steps to Add Custom HTTP Headers in the Siebel HTTP Responses

With Siebel version 26.5 and above, the Siebel application allows you to add additional custom headers to the http responses that the Siebel application returns. Below are the steps to make the configuration to add your custom headers in the response.

  1. Take a backup of and then open the siebel web.xml file from the location: applicaton_container_external/webapps/siebel/WEB-INF/web.xml
  2. With version 26.5 and above, you will see a new filter named GenericHeadersFilter in web.xml as shown below.
    Note: We have commented out the Content-Security-Policy out of the box but you can uncomment and edit this as you need.
    <filter>
  <filter-name>GenericHeadersFilter</filter-name>
  <filter-class>com.siebel.swsm.siebelendpoints.GenericHeadersFilter</filter-class>

  <init-param>
    <param-name>Referrer-Policy</param-name>
    <param-value>strict-origin-when-cross-origin</param-value>
  </init-param>

  <init-param>
    <param-name>X-Permitted-Cross-Domain-Policies</param-name>
    <param-value>none</param-value>
  </init-param>

  <!--init-param>
    <param-name>Content-Security-Policy</param-name>
    <param-value>script-src 'self' https://elocation.oracle.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';  connect-src 'self';</param-value>
  </init-param-->
</filter>

  3. To add any new custom header please add the below xml snippet with appropriate header name and value to the GenericHeadersFilter section described above.

    <init-param>
   <param-name>RESPONSE_HEADER_NAME</param-name>
   <param-value>RESPONSE_HEADER_VALUE</param-value>
</init-param>
    Example:
    <init-param>
         <param-name>Cross-Origin-Resource-Policy</param-name>
         <param-value>same-origin</param-value>
       </init-param>
    Note: Before changing or adding any header parameter (especially security headers), you must remember that doing so can modify the behavior of your existing application in different ways, such as blocking any script or resource that is accessed with cross domain or application behavior in a cluster setup. Please ensure thorough testing of your application before making the changes live.