HTTP Security Headers

This section discusses the security headers used to control whether and how edgeSuite is rendered within the browser, providing protection against ClickJacking and Cross-Site-Scripting attacks.

X-Frame Options Header #

edgeCore by default configures the X-Frame Options so that pages are rendered within the browser as long as they are from the ‘SAMEORIGIN’.  In some instances where edgeCore is behind a proxy (like NGINX), or we have another customer application that frames edgeCore you must add the following line to conf/custom.properteries to override the default behavior.

security.allowFrom=https://example.com/

When running behind NGINX; you may also need to override the default allowFrom configuration of /edgeweb content.  By default its set to ‘SAMEORIGIN’; if it needs to be set to the value configured in ‘security.allowFrom’ you must add the following line to conf/custom.properteries to override the default behavior.

security.edgeWebAllowFrom=true

Additional information is available here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Content Security Policy (CSP) Header #

edgeSuite allows the additional configuration of the CSP Header used to control the frame-ancestors directive specifying the valid parents that are allowed to embed the page using frames.  This is subject to browser support; see the additional info link below for browser support information.

To configure the CSP Header override; you can specify the following line in conf/custom.properties:

security.frameAncestors=http://*.example.com

If the above configuration is enabled only pages from the example.com subdomain over http would be able to contain edgeSuite.

Additional information is available here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

X-XSS-Protection Header #

edgeSuite configures this header to assist in XSS protection.  While this behavior is typically enabled by default; this header ensures it is enabled and tells the browser what to do when an XSS attack is detected.  This configuration is set to block the content if it is detected.

X-XSS-Protection: 1; mode=block