Security headers - SmartPlant Foundation - Update 47 - Installation & Upgrade

Infrastructure Planning and Deployment for SmartPlant Foundation

Language
English
Product
SmartPlant Foundation
Search by Category
Installation & Upgrade

In order to prepare the application to be exposed externally, a number of configuration changes need to be made to the relevant IIS server. In this case, the web server should be configured to send the following headers by default:

Header

Value

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

X-XSS-Protection

1; mode=block

Cache-Control

no-cache, no-store, must-revalidate

Content-Security-Policy

default-src https: data: 'unsafe-inline' 'unsafe-eval' script-src: 'self' blob:;

Strict-Transport-Security

max-age=31536000; includeSubdomains

For example:

<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Cache-Control" value="no-cache, no-store, must-revalidate" />
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval' script-src: 'self' blob:;" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains" />
</customHeaders>
</httpProtocol>