3 Configuring Additional HTTP Response Headers
This chapter includes information about the default HTTP Response Headers you can use to improve browser security, and provides information about how to add and manage additional headers.
This chapter includes the following sections:
- Default HTTP Response Headers
The OWASP Secure Headers Project (also called OSHP) recommends HTTP response headers that you can use to increase browser security. - Adding New HTTP Response Headers
If any recommended header is missing from EDQ HTTP responses, you can include such missing headers by defining them in the director.properties file. - Updating Headers used to Disable Caching
The two default headers used to disable caching should be suitable in all cases. However, if you wish to update these, you can add an additional JSON file with new or replaced header values.
Default HTTP Response Headers
The OWASP Secure Headers Project (also called OSHP) recommends HTTP response headers that you can use to increase browser security.
| Header | Value |
|---|---|
| X-Content-Type-Options | nosniff |
| X-XSS-Protection | 1; mode=block |
| X-Frame-Options | deny |
| Content-Security-Policy | default-src 'self' 'unsafe-eval'; img-src 'self' data:; child-src 'none'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'; frame-ancestors 'none' |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Opener-Policy | same-origin |
| Cross-Origin-Resource-Policy | same-origin |
Additionally these headers are added to any dynamic response which should not be cached:
| Header | Value |
|---|---|
| Cache-Control | no-store |
| Pragma | no-cache |
Note that the application server (WebLogic or Tomcat) will also include security related headers in responses.
Parent topic: Configuring Additional HTTP Response Headers
Adding New HTTP Response Headers
If any recommended header is missing from EDQ HTTP responses, you can include such missing headers by defining them in the director.properties file.
To configure additional response headers, create a file containing a JSON object in which the attribute names are the header names and the values are the header values. To remove a default header from the response, set the value to null.
Add the following to director.properties:
http.responseheaders = name of the JSON fileIf the value here is not an absolute file name, EDQ will look for the file in the local configuration directory.
For example, to remove the default X-Frame-Options header and add the X-new-header header, create a JSON file named headers.json that includes the following:
{ "X-Frame-Options" : null,
"X-new-header" : "some new value"
}Now add the following to director.properties:
http.responseheaders = headers.jsonTo remove all of the default headers, add the following to director.properties:
http.responseheaders.replace = trueParent topic: Configuring Additional HTTP Response Headers
Updating Headers used to Disable Caching
The two default headers used to disable caching should be suitable in all cases. However, if you wish to update these, you can add an additional JSON file with new or replaced header values.
To configure the JSON file location, add the following line to director.properties:
http.responseheaders.nocache = name of file containing JSON with caching headersTo remove both of the standard no-cache headers, add the following line:
http.responseheaders.nocache.replace = trueParent topic: Configuring Additional HTTP Response Headers