Reference of HTTP Header properties

Owned by Armin Franke
Last updated: Sept 26, 2024
1 min read

These parameters allow specification of HTTP Header required in web security contexts.

Incorrect settings of these parameters may result in tia® Viewer Core not functioning correctly.

 

 

Parent

Configuration

Required

Default

Type

Description

Parent

Configuration

Required

Default

Type

Description

spring.security.csp

policy

 

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://login.microsoftonline.com; frame-src 'self' blob:; object-src 'self'; media-src 'self'; frame-ancestors 'self'; form-action 'self' https://login.microsoftonline.com https://outlook.office.com; base-uri 'self'; manifest-src 'self'; worker-src 'self';

 

String

Content Security Policy.

This setting secures communication between web server and browser against various attacks like XSS, or injections.

See: Content Security Policy (CSP) - HTTP | MDN

spring.security.cors

allowed-origins

 

http(s)://localhost:<port>

String

CORS Header: Access-Control-Allowed-Origin.

The Browser accepts resources from the allowed origin only. In the default, it will be created from:

${server.ssl.enabled:false} → if true, HTTPS

${server.address}

${server.port}

May be directly overwritten with

spring.security.cors.allowed-origins:

Allowed values are:

  • * ( Asterisk - from everywhere)

  • <origin> (one absolute URL)

Example:

spring.security.cors.allowed-origins: "*"

spring.security.cors

allowed-headers

 

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

Access-Control-Allow-Headers - HTTP | MDN

Allowed values are:

  • *(Asterisk - all Headers)

  • List<String> (String list, comma seperated)

Example:

spring.security.cors

allowed-headers

 

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

Access-Control-Allow-Headers - HTTP | MDN

Allowed values are:

  • *(Asterisk - all Headers)

  • List<String> (String list, comma seperated)

Example:

spring.security.cors

allow-credentials

 

true

Boolean

CORS Header: Access-Control-Allow-Credentials.

Tell the browser, whether it allowes cross-origin request credentials or not (credentials may be in cookies etc.)

See: Access-Control-Allow-Credentials - HTTP | MDN

Example:

spring.security.cors

allow-x-frame-options-from

 

DENY

String (Enum)

CORS Header: X-Frame-Options.

Tells the browser if it accept the content of the viewer when its embedded in an iFrame.

See: X-Frame-Options - HTTP | MDN

Hint: This flag is obsolete when using CSP

Allowed values are:

  • * (Allow from everywhere)

  • DENY

  • SAMEORIGIN

  • ALLOW-FROM XXXXXX (http-address [origin])

Example:

 

spring.security.xss

mode

 

disabled

String (Enum)

Cross-Site Protection Header.

Should not be set in Production.

See: X-XSS-Protection - HTTP | MDN

 

Allowed values are:

  • block mode

  • block

  • disabled

Example: