/
Reference of HTTP Header properties

Reference of HTTP Header properties

Owned by Armin Franke
Last updated: Sept 26, 2024
2 min read

These parameters allow specification of HTTP Header required in web security contexts.

Incorrect settings of these parameters may result in tia® Viewer Core not functioning correctly.

 

 

Parent

Configuration

Required

Default

Type

Description

Parent

Configuration

Required

Default

Type

Description

spring.security.csp

policy

 

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://login.microsoftonline.com; frame-src 'self' blob:; object-src 'self'; media-src 'self'; frame-ancestors 'self'; form-action 'self' https://login.microsoftonline.com https://outlook.office.com; base-uri 'self'; manifest-src 'self'; worker-src 'self';

 

String

Content Security Policy.

This setting secures communication between web server and browser against various attacks like XSS, or injections.

See: Content Security Policy (CSP) - HTTP | MDN

spring.security.cors

allowed-origins

 

http(s)://localhost:<port>

String

CORS Header: Access-Control-Allowed-Origin.

The Browser accepts resources from the allowed origin only. In the default, it will be created from:

${server.ssl.enabled:false} → if true, HTTPS

${server.address}

${server.port}

May be directly overwritten with

spring.security.cors.allowed-origins:

Allowed values are:

  • * ( Asterisk - from everywhere)

  • <origin> (one absolute URL)

Example:

spring.security.cors.allowed-origins: "*"

spring.security.cors

allowed-headers

 

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

Access-Control-Allow-Headers - HTTP | MDN

Allowed values are:

  • *(Asterisk - all Headers)

  • List<String> (String list, comma seperated)

Example:

spring.security.cors

allowed-headers

 

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

Access-Control-Allow-Headers - HTTP | MDN

Allowed values are:

  • *(Asterisk - all Headers)

  • List<String> (String list, comma seperated)

Example:

spring.security.cors

allow-credentials

 

true

Boolean

CORS Header: Access-Control-Allow-Credentials.

Tell the browser, whether it allowes cross-origin request credentials or not (credentials may be in cookies etc.)

See: Access-Control-Allow-Credentials - HTTP | MDN

Example:

spring.security.cors

allow-x-frame-options-from

 

DENY

String (Enum)

CORS Header: X-Frame-Options.

Tells the browser if it accept the content of the viewer when its embedded in an iFrame.

See: X-Frame-Options - HTTP | MDN

Hint: This flag is obsolete when using CSP

Allowed values are:

  • * (Allow from everywhere)

  • DENY

  • SAMEORIGIN

  • ALLOW-FROM XXXXXX (http-address [origin])

Example:

 

spring.security.xss

mode

 

disabled

String (Enum)

Cross-Site Protection Header.

Should not be set in Production.

See: X-XSS-Protection - HTTP | MDN

 

Allowed values are:

  • block mode

  • block

  • disabled

Example:

 

Related content

Reference of general global settings
Reference of general global settings
Documentation
Read with this
Adding CORS filter for KGS Web Services (WS)
Adding CORS filter for KGS Web Services (WS)
Documentation
More like this
tia® Viewer (core)
tia® Viewer (core)
Documentation
Read with this
Connection to tia® Content Server Core CMIS
Connection to tia® Content Server Core CMIS
Documentation
More like this
Location of the license file (Vc)
Location of the license file (Vc)
Documentation
Read with this
Reference for OpenID authentication
Reference for OpenID authentication
Documentation
More like this