Security headers - HxGN SDx - Update 38 - Installation & Upgrade

Infrastructure Planning and Deployment for HxGN SDx

Language
English (United States)
Product
HxGN SDx
Search by Category
Installation & Upgrade
SmartPlant Foundation / SDx Version
10

In order to prepare the application to be exposed externally, a number of configuration changes need to be made to the relevant IIS server. In this case, the web server should be configured to send the following headers by default:

Header

Value

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

X-XSS-Protection

1; mode=block

Cache-Control

no-cache, no-store, must-revalidate

Pragma

no-cache

Content-Security-Policy

default-src https: data: 'unsafe-inline' 'unsafe-eval'

Strict-Transport-Security

max-age=31536000; includeSubdomains

For example:

<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Cache-Control" value="no-cache, no-store, must-revalidate" />
<add name="Pragma" value="no-cache" />
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains" />
</customHeaders>
</httpProtocol>