Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

These parameters allow specification of HTTP Header required in web security contexts.

Incorrect settings of these parameters may result in tia Viewer Core not functioning correctly.

Parent

Configuration

Required

Default

Type

Description

spring.security.csp

policy

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://login.microsoftonline.com; frame-src 'self' blob:; object-src 'self'; media-src 'self'; frame-ancestors 'self'; form-action 'self' https://login.microsoftonline.com https://outlook.office.com; base-uri 'self'; manifest-src 'self'; worker-src 'self';

String

Content Security Policy.

This setting secures communication between web server and browser against various attacks like XSS, or injections.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

spring.security.cors

allowed-origins

http(s)://localhost:<port>

String

CORS Header: Access-Control-Allowed-Origin.

The Browser accepts resources from the allowed origin only. In the default, it will be created from:

${server.ssl.enabled:false} → if true, HTTPS

${server.address}

${server.port}

May be directly overwritten with

spring.security.cors.allowed-origins:

Allowed values are:

  • * ( Asterisk - from everywhere)

  • <origin> (one absolute URL)

Example:

spring.security.cors.allowed-origins: "*"

spring.security.cors

allowed-headers

Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Allowed values are:

  • *(Asterisk - all Headers)

  • List<String> (String list, comma seperated)

Example:

spring.security.cors.allowed-headers: "*"

spring.security.cors

allowed-headers

Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Allowed values are:

  • *(Asterisk - all Headers)

  • List<String> (String list, comma seperated)

Example:

spring.security.cors.allowed-headers: "*"

spring.security.cors

allow-credentials

true

Boolean

CORS Header: Access-Control-Allow-Credentials.

Tell the browser, whether it allowes cross-origin request credentials or not (credentials may be in cookies etc.)

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

Example:

tia.security.cors.allow-credentials: false

spring.security.cors

allow-x-frame-options-from

DENY

String(Enum)

CORS Header: X-Frame-Options.

Tells the browser if it accept the content of the viewer when its embedded in an iFrame.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Hint: This flag is obsolete when using CSP 

frame-ancestor

Allowed values are:

  • * (Allow from everywhere)

  • DENY

  • SAMEORIGIN

  • ALLOW-FROM XXXXXX (http-address [origin])

Example:

spring.security.cors.allow-x-frame-options-from: "*"

spring.security.xss

mode

disabled

String (Enum)

Cross-Site Protection Header.

Should not be set in Production.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Allowed values are:

  • block mode

  • block

  • disabled

Example:

spring.security.xss.mode: block-mode

  • No labels