Reference of HTTP Header properties
These parameters allow specification of HTTP Header required in web security contexts.
Incorrect settings of these parameters may result in tia® Viewer Core not functioning correctly.
Parent | Configuration | Required | Default | Type | Description |
---|---|---|---|---|---|
|
|
| default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://login.microsoftonline.com; frame-src 'self' blob:; object-src 'self'; media-src 'self'; frame-ancestors 'self'; form-action 'self' https://login.microsoftonline.com https://outlook.office.com; base-uri 'self'; manifest-src 'self'; worker-src 'self';
| String | Content Security Policy. This setting secures communication between web server and browser against various attacks like XSS, or injections. |
|
|
| http(s)://localhost:<port> | String | CORS Header: Access-Control-Allowed-Origin. The Browser accepts resources from the allowed origin only. In the default, it will be created from:
May be directly overwritten with
Allowed values are:
Example: spring.security.cors.allowed-origins: "*" |
|
|
| Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization | List<String> | CORS Header: Access-Control-Allowed-Headers. The Headers, that are allowed by the browser. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers Allowed values are:
Example: spring.security.cors.allowed-headers: "*" |
|
|
| Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization | List<String> | CORS Header: Access-Control-Allowed-Headers. The Headers, that are allowed by the browser. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers Allowed values are:
Example: spring.security.cors.allowed-headers: "*" |
|
|
|
| Boolean | CORS Header: Access-Control-Allow-Credentials. Tell the browser, whether it allowes cross-origin request credentials or not (credentials may be in cookies etc.) See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials Example: tia.security.cors.allow-credentials: false |
|
|
|
| String (Enum) | CORS Header: X-Frame-Options. Tells the browser if it accept the content of the viewer when its embedded in an iFrame. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options Hint: This flag is obsolete when using CSP frame-ancestor Allowed values are:
Example: spring.security.cors.allow-x-frame-options-from: "*"
|
|
|
|
| String (Enum) | Cross-Site Protection Header. Should not be set in Production. See: X-XSS-Protection - HTTP | MDN
Allowed values are:
Example: spring.security.xss.mode: block-mode |