2.5 Jetty Properties File
Use the jetty properties available at OSA-19.1.0.0.*/osa-base/etc/jetty.properties
, to modify certain security features.
Note:
It is recommended that you configure these properties at the installation stage, to avoid restarting your server, if configured at a later stage.- jetty.session.timeout
You can set the timeout for OSA web session. This sets the timeout for OSA web session. By default the timeout is set to 30 minutes. The value can be changed to any integer greater than 1.
- host.headers.whitelist
You can restrict the x-forwarded-host header values to the values defined with this property.
Example: host.headers.whitelist= www.oracle.com, www.microsoft.com, localhost:9080
Here the value of the host header can be only of these three domains listed. Commenting out this property with a # will allow all values for the header.
Note:
If you do not specify explicitly the host header in your request, the default value ishost-server:port
, where the OSA jetty server is running. Hence you must specify the port number along with the server address. - xforwarded.host.headers.whitelist
You can restrict the x-forwarded-host header values to the values defined with this property.
Example: xforwarded.host.headers.whitelist= www.oracle.com, www.microsoft.com, localhost
Here the value of the x-forwarded-host header can be only of these three domains listed. Commenting out this property with a # will allow all values for the header. If no domain is entered, that is, if the value of the property is empty, then this header is not supported.
- response.headers.list
A comma separated list of response headers, which will be sent along with response for every request.
Example: response.headers.list="x-frame-options: sameorigin, X-Content-Type-Options: nosniff"
By default the above 2 response headers are set.x-frame-options
: sameorigin will prevent clickjack attacking.X-Content-Type-Options
: nosniff will prevent sniffing of the response content by the browsers.