Set HTTP secure headers

Safeguard server and user data with HTTP secure headers.

Oracle highly recommends adding Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), and X-Content-Type-Options security headers. This can be achieved through configuring Oracle HTTP Server (OHS), which is installed along with WebLogic.

1. To add the HSTS header, edit the ssl.conf file in the OHS domain instance directory; for example:

    /u01/app/oracle/product/Middleware14c/user_projects/domains/empirica/config/fmwconfig/components/OHS/instances/ohs1

   and add the following node to replace the lines with the comment “SSL Virtual Host ."

   Context:

   <VirtualHost example.com:8002>

   Header always set Strict-Transport-Security

   "max-age=63072000; preload;

   includeSubDomains"

   </VirtualHost>

   Note:

   Replace example.com:4443 with the actual domain URL and port number.
2. To add the CSP and X-Content-Type-Options headers, edit the httpd.config file in the OHS domain instance directory; for example:

   /u01/app/oracle/product/Middleware12c/user_projects/domains/empirica/config/fmwconfig/components/OHS/instances/ohs1

   and add the following node if it doesn't already exist:

   
   <IfModule mod_headers.c> 
      Header always set X-Content-Type-Options
      nosniff Header set Content-Security-Policy 
      "default-src 'self'"
   </IfModule>

For details, please refer to Administering Security for Oracle HTTP Server at https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/14.1.2/secure-ohs/configurations-enhanced-security.html.