Specify the HTTP security response headers for BlueCat Gateway.
- Content-Security-Policy: The HTTP response header that lets website administrators control resources to load for a given web page. Content Security Policy (CSP) is an added scecurity layer that helps to detect and mitigate cross-site scripting (XSS) attacks, data injection attacks, and click-jacking.
- Strict Transport Security: The HTTP response header that allows a webpage to tell browsers that it should be accessed using HTTPS, instead of HTTP. As a security best practice, BlueCat recommends enabling this option.
Follow the steps below to specify the content-security-policy and strict-transport-security response headers for BlueCat Gateway:
- Log in to BlueCat Gateway.
- Select .
In the Policy field, specify a valid
content-security-policy directive. By default, the value is set to
style-src 'self' 'unsafe-inline'.
In the Report URI field, specify a content security
report-uridirective. This instructs the user agent to report attempts to violate the Content Security Policy.
Click the Report only checkbox. The HTTP
Content-Security-Policy-Report-Onlyresponse header allows you to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
Click the Strict Transport Security checkbox. The
Strict-Transport-Securityresponse header lets a website tell browsers that it should be accessed using HTTPS, instead of HTTP.
Specify the time in seconds that the browser should remember that that
site is only to be accessed using HTTPS on the Max Age
(seconds) field. The default value is
31556926seconds (or 365 days).
- Click the Include Subdomains checkbox to specify that the rule applies to all of the site's subdomains.
- Specify the time in seconds that the browser should remember that that site is only to be accessed using HTTPS on the Max Age (seconds) field. The default value is
- For more information on Content Security Policy, refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- For more information on HTTP Content-Security-Policy response header, refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- For more information on Strict Transport Security response header, refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security