HTTP Security Headers
This article discusses the security headers used to control whether and how edgeCore is rendered within the browser, providing protection against ClickJacking and Cross-Site-Scripting attacks.
X-Frame Options Header
edgeCore by default configures the X-Frame Options so that pages are rendered within the browser as long as they are from the ‘SAMEORIGIN’. In some instances where edgeCore is behind a proxy (like NGINX), or we have another customer application that frames edgeCore, you must add the following line to [INSTALL_HOME]/conf/custom.properties to override the default behavior.
security.allowFrom=https://example.com/
When running behind NGINX, you may also need to override the default allowFrom configuration of /edgeweb content. By default, it’s set to ‘SAMEORIGIN’. If it needs to be set to the value configured in ‘security.allowFrom’, you must add the following line to [INSTALL_HOME]/conf/custom.properties to override the default behavior.
security.edgeWebAllowFrom=true
Additional information is available on this link.
Content Security Policy (CSP) Header
edgeCore allows the additional configuration of the CSP Header used to control the frame-ancestors directive specifying the valid parents that are allowed to embed the page using frames. This is subject to browser support (refer to the link below for browser support information).
To configure the CSP Header override, you can specify the following line in [INSTALL_HOME]/conf/custom.properties:
security.frameAncestors=http://*.example.com
If the above configuration is enabled, only pages from the example.com subdomain over HTTP would be able to contain edgeCore.
Additional information is available on this link.
X-XSS-Protection Header
edgeCore configures this header to assist in XSS protection. While this behavior is typically enabled by default, this header ensures it is enabled and tells the browser what to do when an XSS attack is detected. This configuration is set to block the content if it is detected.
X-XSS-Protection: 1; mode=block