Setting HTTP response headers

This page describes how to set HTTP response headers in Caplin FX Sales.

Setting HTTP headers in a web proxy

Version: Caplin FX Sales <= 2.9

If you have deployed a reverse proxy in front of your Java web application server, then you can use the proxy to set HTTP response headers. Consult the documentation for your web proxy.

For a list of recommended HTTP headers, see Recommended HTTP response headers.

Setting HTTP headers in the web application context

Version: Caplin FX Sales >= 2.10

You can configure HTTP response headers by setting the following environment entries in the web application context:

  • CUSTOM.HEADER.header_name: a HTTP header value

  • ENABLED.CUSTOM.HEADERS: a comma-separated list of the names of enabled HTTP headers

The following environment entries are set by default in the deployment descriptor (web.xml) and can be overridden by you in the web application context:

Default environment entries
Environment entry Value

ENABLED.CUSTOM.HEADERS

X-Frame-Options,Content-Security-Policy,Strict-Transport-Security,X-Content-Type-Options,X-XSS-Protection,Referrer-Policy,Feature-Policy,Expect-CT,Cache-Control

CUSTOM.HEADER.X-Frame-Options

deny

CUSTOM.HEADER.Content-Security-Policy

frame-ancestors 'none'

CUSTOM.HEADER.Strict-Transport-Security

max-age=31536000; includeSubDomains

CUSTOM.HEADER.X-Content-Type-Options

nosniff

CUSTOM.HEADER.X-XSS-Protection

1; mode=block

CUSTOM.HEADER.Referrer-Policy

same-origin

CUSTOM.HEADER.Feature-Policy

ambient-light-sensor 'none'; autoplay 'none'; accelerometer 'none'; camera 'none'; display-capture 'none'; document-domain 'self'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'self'; sync-xhr 'self'; usb 'none'; wake-lock 'none'; webauthn 'none'; vr 'none'; xr-spatial-tracking 'none'

CUSTOM.HEADER.Expect-CT

enforce, max-age=172800

CUSTOM.HEADER.Cache-Control

no-store
We recommend you override the value of CUSTOM.HEADER.Content-Security-Policy to the value specified in Recommended HTTP response headers.

The Cache-Control header was removed from the default set of headers in FX Sales 2.11.0. The header Cache-Control: no-store was found to prevent the initial rendering of web fonts in Internet Explorer 11.

Tomcat 8 examples

In Tomcat 8, web application context configuration files are stored under <tomcat_root>/conf/Catalina/<host>/. For more information, see The Context Container in the Apache Tomcat 8 documentation.

In the example below, the default value for Content-Security-Policy is updated to the value recommended in Recommended HTTP response headers. The placeholders for the primary and secondary Liberator hosts have been replaced with example values 'lib1.example.com:443' and 'lib2.example.com:443' respectively.

Tomcat 8 example: specifying a new value for Content-Security-Policy
<Context>
  ...
  <Environment
    name="CUSTOM.HEADER.Content-Security-Policy"
    type="java.lang.String"
    value="frame-ancestors 'none'; default-src 'self'; script-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; style-src blob: 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' blob: wss://lib1.example.com:443/ https://lib1.example.com:443/ wss://lib2.example.com:443/ https://lib2.example.com:443/; worker-src blob: 'self'; frame-src blob: 'self' https://lib1.example.com:443/ https://lib2.example.com:443/"
    override="false"
  />
  ...
</Context>

In the example below, a new header is defined and added to the default list of enabled HTTP headers:

Tomcat 8 example: adding a new HTTP header
<Context>
  ...
  <Environment
    name="CUSTOM.HEADER.X-My-Custom-Header"
    type="java.lang.String"
    value="My custom value"
    override="false"
  />

  <Environment
    name="ENABLED.CUSTOM.HEADERS"
    type="java.lang.String"
    value="X-My-Custom-Header,X-Frame-Options,Content-Security-Policy,Strict-Transport-Security,X-Content-Type-Options,X-XSS-Protection,Referrer-Policy,Feature-Policy,Expect-CT"
    override="false"
  />
  ...
</Context>