Recommended HTTP response headers
This page lists recommended HTTP response headers that improve the security of Caplin FX Professional.
For guidance on setting HTTP headers, see Setting HTTP response headers.
X-Frame-Options
The X-Frame-Options response header can be used to indicate that a web page should not render in a <frame>
, <iframe>
, <embed>
, or <object>
element. This header helps prevent clickjacking attacks. For more information, see the OWASP Clickjacking Defence Cheat Sheet.
X-Frame-Options: deny
Content-Security-Policy
The Content-Security-Policy response header allows system administrators to control the resources the browser is allowed to load for a given page. For more information, see the OWASP Content Security Policy Cheat Sheet.
Caplin recommend you set the following value for the Content-Security-Policy
HTTP header, substituting appropriate values for <primary-liberator-server>
, <primary-liberator-port>
, <secondary-liberator-server>
, and <secondary-liberator-port>
.
Content-Security-Policy: frame-ancestors 'none'; default-src 'self'; script-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; style-src blob: 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' blob: wss://<primary-liberator-server>:<primary-liberator-port>/ https://<primary-liberator-server>:<primary-liberator-port>/ wss://<secondary-liberator-server>:<secondary-liberator-port>/ https://<secondary-liberator-server>:<secondary-liberator-port>/; worker-src blob: 'self'; frame-src blob: 'self' https://<primary-liberator-server>:<primary-liberator-port>/ https://<secondary-liberator-server>:<secondary-liberator-port>/;
Strict-Transport-Security
The Strict-Transport-Security response header can be used to indicate to browsers that a given website should only be accessed via HTTPS. For more information, see the OWASP HTTP Strict Transport Security Cheat Sheet.
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options
The X-Content-Type-Options response HTTP header can be used to disable MIME-type detection ('sniffing') in web browsers. When MIME-type detection is permitted, a browser may ignore the declared MIME type of a resource in the Content-Type
header if the browser detects executable content in the resource.
X-Content-Type-Options: nosniff
X-XSS-Protection
The X-XSS-Protection response HTTP header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
X-XSS-Protection: 1; mode=block
Referrer-Policy
The Referrer-Policy
response HTTP header prevents possible leaking of information in the Referer
HTTP header.
Note the difference in spelling of 'referrer' in the headers Referrer-Policy and Referer . The older Referer header is a misspelling of 'referrer'.
|
Referrer-Policy: same-origin
Feature-Policy
The Feature-Policy
response HTTP restricts the web application’s access to browser features not used by the application, which reduces the attack surface if the web application is compromised.
Feature-Policy: ambient-light-sensor 'none'; autoplay 'none'; accelerometer 'none'; camera 'none'; display-capture 'none'; document-domain 'self'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'self'; sync-xhr 'self'; usb 'none'; wake-lock 'none'; webauthn 'none'; vr 'none'; xr-spatial-tracking 'none'
Expect-CT
The Expect-CT
response HTTP header enforces Certificate Transparency (CT) in web browsers. When CT is enforced, the browser rejects a TLS certificate for your website if it does not contain valid signed certificate timestamps (SCTs) from valid CT logs. This prevents the browser from subsequently accepting certificates for your website that have been issued 'off-the-record' by the public-key infrastructure (PKI) of a compromised certificate authority (CA).
Expect-CT: enforce, max-age=172800
Cache-Control
The Cache-Control
HTTP header can be used to prevent browsers from caching web application resources to disk.
We recommend Cache-Control: no-store is not set for Caplin FX Sales, Caplin FX Professional, and Caplin FX Corporate. This header has been found to prevent the initial rendering of web fonts in Internet Explorer 11.
|
Cache-Control: no-store