5.4 HTTPS Security and Cache Headers
Review the supported security and cache headers.
The MA server accepts and returns HTTPS envelopes that contain a set of headers that govern how the server, the client, and proxies handle the HTTPS contents. For HTTPS information, see:
- RFC 7034 - HTTP Header Field X-Frame-Options https://tools.ietf.org/html/rfc7034
- RFC 7762 - Initial Assignment for the Content Security Policy https://tools.ietf.org/html/rfc7762
- RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1 https://tools.ietf.org/html/rfc2616
Security Headers
The security headers that can be issued are:
- Content Security Policy (CSP)
-
The CSP is included as a header in server responses and defines how the client should handle the content sent by the server.
The default CSP header statement is:
Content-Security-Policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'
The options are:
-
script-src:
-
unsafe-eval:
-
unsafe-inline:
-
- X-Frame-Options
-
The X-Frame-Options is included as headers in server responses and signals the client whether or not a user-agent should be allowed to render the content in an
<frame>
,<iframe>
, or<object>
. Websites use<frame>
and<iframe>
to create mash-ups or to embed part of one site. However, this exposes the embedded site to clickjacking (classified as a user interface redress) attacks. This directive disallows the client from rendering the content as embedded unless the content is from the same site (origin).The default X-Frame-Options statement is:
X-Frame-Options: SAMEORIGIN
The option is
SAMEORIGIN
. - X-XSS-Protection
-
The X-XSS-Protection is included as a header in server responses and configure the user-agent's built in XSS (Cross-Site-Security)protection. The options are to enable, disable and can be combined with block and report.
The default X-XSS-Protection statement is:
X-XSS-Protection: 1; mode=block
The options are:
-
1
: Enable the user-agent's protection mode. -
2
: Disable the user-agent's protection mode. -
mode=block
: Block the server's response if the content script was injected as user input. -
mode-report=url
: Report the potential XSS attack to the designated URL. Only supported by Chrome and WebKit.
-
- X-Content-Type-Options
-
The default
X-Content-Type-Options
statement is:X-Content-Type-Options: nosniff
The option is
nosniff
.
Cache Headers
The supported cache headers are:
- Cache-Control
-
The default
Cache-Control
statement is:Cache-Control: no-cache, no-store, must-revalidate
- Pragma
-
The default
Pragma
statement is:Pragma: no-cache
- Expires
-
The default
Expires
statement is:Expires: 0
- HTTP Strict-Transport-Security
-
The default HTTP Strict-Transport-Security (HSTS) statement is:
Strict-Transport-Security: max-age=expire-time; includeSubDomains
The configured default for max-age is 31536000 and
includeSubDomains
specifies that the HSTS applies the requesting domain and all subdomains. The default configuration is controlled by:{ "config" : { "hstsEnabled": true, "hstsDetails": "max-age=31536000 ; includeSubDomains" }}
The options are:
hstsEnable
controls whether or not the HSTS header is included in responses.hstsDetails
defines the value of the HSTS header, see RFC 6797 HTTP Strict Transport Security (HSTS).
Parent topic: TLS and Secure Network Protocols