Http Header Providers (web-HttpHeaderProviders)

These headers pass additional information with an HTTP request or response between client and server. This information ensures the authenticity of the messages providing security against click-jacking and other threats. This component contains four headers that you may customize as needed. To ensure the most robust security, leave all headers enabled. To turn off a header, if necessary, set its Enabled property to false.

For complete details on headers, see the MDN web docs site (https://developer.mozilla.org/en-US/docs/Web/API/Headers).

Figure 1. Http Header Providers properties

To access these properties, expand Services > WebServices and double-click Http Header Providers.

In addition to the standard property, Enabled, these properties configure header providers.

Property	Value	Description
Content-Security-Policy	additional properties	Notifies the browser what restrictions should be put on images, JavaScript, or CSS, in response to a request for resources. “Csp Header Provider (web-CspHeaderProvider)” documents the additional properties.
X-Content-Type-Options	drop-down list (defaults to nosniff)	Indicates to browsers that they should apply additional restrictions to auto-detect content types in downloaded files. For best security, nosniff is the recommended value.
X Frame Options	drop-down list (defaults to Sameorigin)	Indicates if a browser should be allowed to render pages served by your station in a <frame> or <iframe> of another site. Use it to avoid click-jacking attacks. Sameorigin allows the browser to embed other pages from within the same station. This is considered a safe practice and is necessary for the correct functioning of the HTML5 Hx Profile. Deny prevents the browser from loading the page in a frame. Note: Deny inhibits the display of some typical HTML5 Hx Profile views. Any may cause a Cross-Frame Scripting (XFS) or click-jacking vulnerability and is not recommended. If an external site needs to embed your station’s web interface, configure a "frame-ancestors" directive under Content-Security-Policy.
X-XSS-Protection	text (defaults to `1; mode=block`)	Ensures that, if an XSS attack is detected, the browser prevents the page from loading. `1; mode=block` is the recommended value.