Setting HTTP response headers
This page describes how to set HTTP response headers in Caplin FX Professional.
Setting HTTP headers in a web proxy
Version: Caplin FX Professional <= 3.19
If you have deployed a reverse proxy in front of your Java web application server, then you can use the proxy to set HTTP response headers. Consult the documentation for your web proxy.
For a list of recommended HTTP headers, see Recommended HTTP response headers.
Setting HTTP headers in the web application context
Version: Caplin FX Professional >= 3.20
You can configure HTTP response headers by setting the following environment entries in the web application context:
-
CUSTOM.HEADER.header_name
: a HTTP header value -
ENABLED.CUSTOM.HEADERS
: a comma-separated list of the names of enabled HTTP headers
The following environment entries are set by default in the deployment descriptor (web.xml
) and can be overridden by you in the web application context:
Environment entry | Value |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We recommend you override the value of CUSTOM.HEADER.Content-Security-Policy to the value specified in Recommended HTTP response headers.
|
The Cache-Control
header was removed from the default set of headers in FX Professional 3.21.0. The header Cache-Control: no-store
was found to prevent the initial rendering of web fonts in Internet Explorer 11.
Tomcat 8 examples
In Tomcat 8, web application context configuration files are stored under <tomcat_root>/conf/Catalina/<host>/
. For more information, see The Context Container in the Apache Tomcat 8 documentation.
In the example below, the default value for Content-Security-Policy
is updated to the value recommended in Recommended HTTP response headers. The placeholders for the primary and secondary Liberator hosts have been replaced with example values 'lib1.example.com:443' and 'lib2.example.com:443' respectively.
<Context>
...
<Environment
name="CUSTOM.HEADER.ContentSecurityPolicy"
type="java.lang.String"
value="My custom value"
override="frame-ancestors 'none'; default-src 'self'; script-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; style-src blob: 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' blob: wss://lib1.example.com:443/ https://lib1.example.com:443/ wss://lib2.example.com:443/ https://lib2.example.com:443/; worker-src blob: 'self'; frame-src blob: 'self' https://lib1.example.com:443/ https://lib2.example.com:443/"
>
...
</Context>
In the example below, a new header is defined and added to the default list of enabled HTTP headers:
<Context>
...
<Environment
name="CUSTOM.HEADER.X-My-Custom-Header"
type="java.lang.String"
value="My custom value"
override="false"
>
<Environment
name="ENABLED.CUSTOM.HEADERS"
type="java.lang.String"
value="X-My-Custom-Header,X-Frame-Options,Content-Security-Policy,Strict-Transport-Security,X-Content-Type-Options,X-XSS-Protection,Referrer-Policy,Feature-Policy,Expect-CT"
override="false"
>
...
</Context>