HTTPS Security and Cache Headers

5.4 HTTPS Security and Cache Headers

Review the supported security and cache headers.

The MA server accepts and returns HTTPS envelopes that contain a set of headers that govern how the server, the client, and proxies handle the HTTPS contents. For HTTPS information, see:

RFC 7034 - HTTP Header Field X-Frame-Options https://tools.ietf.org/html/rfc7034
RFC 7762 - Initial Assignment for the Content Security Policy https://tools.ietf.org/html/rfc7762
RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1 https://tools.ietf.org/html/rfc2616

Security Headers

The security headers that can be issued are:

Content Security Policy (CSP)

The CSP is included as a header in server responses and defines how the client should handle the content sent by the server.

The default CSP header statement is:

Content-Security-Policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'

The options are:

script-src:
unsafe-eval:
unsafe-inline:

X-Frame-Options

The X-Frame-Options is included as headers in server responses and signals the client whether or not a user-agent should be allowed to render the content in an <frame>, <iframe>, or <object>. Websites use<frame> and <iframe> to create mash-ups or to embed part of one site. However, this exposes the embedded site to clickjacking (classified as a user interface redress) attacks. This directive disallows the client from rendering the content as embedded unless the content is from the same site (origin).

The default X-Frame-Options statement is:

X-Frame-Options: SAMEORIGIN

The option is SAMEORIGIN.

X-XSS-Protection

The X-XSS-Protection is included as a header in server responses and configure the user-agent's built in XSS (Cross-Site-Security)protection. The options are to enable, disable and can be combined with block and report.

The default X-XSS-Protection statement is:

X-XSS-Protection: 1; mode=block

The options are:

1: Enable the user-agent's protection mode.
2: Disable the user-agent's protection mode.
mode=block: Block the server's response if the content script was injected as user input.
mode-report=url: Report the potential XSS attack to the designated URL. Only supported by Chrome and WebKit.

X-Content-Type-Options

The default X-Content-Type-Options statement is:

  X-Content-Type-Options: nosniff

The option is nosniff.

Cache Headers

The supported cache headers are:

Cache-Control

The default Cache-Control statement is:

Cache-Control: no-cache, no-store, must-revalidate

Pragma

The default Pragma statement is:

Pragma: no-cache

Expires

The default Expires statement is:

Expires: 0

HTTP Strict-Transport-Security

The default HTTP Strict-Transport-Security (HSTS) statement is:

Strict-Transport-Security: max-age=expire-time; includeSubDomains

The configured default for max-age is 31536000 and includeSubDomains specifies that the HSTS applies the requesting domain and all subdomains. The default configuration is controlled by:

{ "config" : { "hstsEnabled": true, "hstsDetails": "max-age=31536000 ; includeSubDomains" }}

The options are:

hstsEnable controls whether or not the HSTS header is included in responses.

hstsDetails defines the value of the HSTS header, see RFC 6797 HTTP Strict Transport Security (HSTS).

Parent topic: TLS and Secure Network Protocols