Configuring security policies - Platform - BlueCat Gateway - 20.12.1

Gateway Administration Guide

prodname
BlueCat Gateway
version_custom
20.12.1

Specify the HTTP security response headers for BlueCat Gateway.

  • Content-Security-Policy: The HTTP response header that lets website administrators control resources to load for a given web page. Content Security Policy (CSP) is an added scecurity layer that helps to detect and mitigate cross-site scripting (XSS) attacks, data injection attacks, and click-jacking.
  • Strict Transport Security: The HTTP response header that allows a webpage to tell browsers that it should be accessed using HTTPS, instead of HTTP. As a security best practice, BlueCat recommends enabling this option.

Follow the steps below to specify the content-security-policy and strict-transport-security response headers for BlueCat Gateway:

  1. Log in to BlueCat Gateway.
  2. Select Administration > Configurations > General Configuration.
  3. Click Security.


  4. In the Policy field, specify a valid content-security-policy directive. By default, the value is set to style-src 'self' 'unsafe-inline'.
  5. In the Report URI field, specify a content security policy report-uri directive. This instructs the user agent to report attempts to violate the Content Security Policy.
  6. Click the Report only checkbox. The HTTP Content-Security-Policy-Report-Only response header allows you to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
  7. Click the Strict Transport Security checkbox. The Strict-Transport-Security response header lets a website tell browsers that it should be accessed using HTTPS, instead of HTTP.


    1. Specify the time in seconds that the browser should remember that that site is only to be accessed using HTTPS on the Max Age (seconds) field. The default value is 31556926 seconds (or 365 days).
    2. Click the Include Subdomains checkbox to specify that the rule applies to all of the site's subdomains.
  8. Click Save.
    Related links: