Security Headers

About this task

You can send the following Security Headers in the response headers. 

Strict-Transport-Security: max-age=31536000 
X-XSS-Protection: 1; mode=block 
X-Content-Type-Options: nosniff 
X-Frame-Options: SAMEORIGIN 
Referrer-Policy: no-referrer-when-downgrade 
Content-Security-Policy.value=default-src 'self' https:

The default value of these headers can be overridden by specifying an HTTP Adapter property: <header name>.value=<header value> example: X-Frame-Options.value = ALLOW-FROM https://<host>:<port>/<path>

By default Sterling Secure Proxy does not send these headers.

To send these headers, add these HTTP Adapter properties:

Strict-Transport-Security.value = max-age=31536000 
X-XSS-Protection.value = 1; mode=block 
X-Content-Type-Options.value = nosniff 
X-Frame-Options.value = SAMEORIGIN 
Referrer-Policy.value = no-referrer-when-downgrade

Sending 'Content-Security-Policy' header can cause existing backend application pages to not display correctly if any in-line scripts or in-line style exist in the html. Users can add this header by specifying this HTTP Adapter property: "Content-Security-Policy.value=default-src 'self' https:".

Specify the following values for HTTP Adapter property '<header name>.override' :

ignore - SSP ignores and does not add this header.

replace - SSP removes any of these headers sent by the backend server before adding them.

add - SSP adds these headers, even if they are present already (sent by the backend server).

no- SSP does not replace the header if it is already present. This is the default behavior.

Any custom response header can be sent by specifying an HTTP Adapter property such as the following:

resp.header.1.key=<header name>

resp.header.1.value=<header value>

resp.header.2.key=<header name>

resp.header.2.value=<header value>

When upgrading, if you have previously customized the Sterling Secure Proxy portal pages, you need to update the portal pages from this ifix upgrade with your customization.

There is a new properties file in this upgrade : <ssp engine install dir>/bin/portal/mediatypes.properties. If you have any new files under /Signon dir because of customization and if the extensions of these files are not present in the mediatypes.properties, add entries as appropriate to this file.

Parent topic: HTTP Reverse Proxy configuration