Specify the HTTP security response headers for BlueCat Gateway.
- Content-Security-Policy: The HTTP response header that lets website administrators control the resources loaded for a given web page. Content Security Policy (CSP) is an added scecurity layer that helps to detect and mitigate cross-site scripting (XSS) attacks, data injection attacks, and click-jacking.
- Strict Transport Security: The HTTP response header that lets a webpage tell browsers that it should be accessed using HTTPS, instead of HTTP. As a security best practice, BlueCat recommends enabling this option.
- For more information on Content Security Policy, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- For more information on HTTP Content-Security-Policy response header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- For more information on Strict Transport Security response header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Follow the steps below to specify the content-security-policy and strict-transport-security response headers for BlueCat Gateway:
-
Log in to BlueCat Gateway.
-
Select
. -
Click Security.
-
In the Policy field, specify a valid content-security-policy directive. By default, the policy is set to the following:
style-src 'self' 'unsafe-inline'.
-
In the Report URI field, specify a content security policy
report-uri
directive. This directive tells the user agent where to report attempts that violate the Content Security Policy. -
Click the Report Only checkbox. The HTTP
Content-Security-Policy-Report-Only
response header lets you experiment with policies by monitoring (but not enforcing) their effects. Violation reports consist of JSON documents sent by way of an HTTP POST request to the specified Report URI. -
To enforce the use of HTTPS instead of HTTP by browsers, click the Strict Transport Security checkbox. Doing so enables use of the
Strict-Transport-Security
response header, which tells browsers that the page should be accessed using HTTPS.-
In Max Age (seconds), set the time in seconds that the browser should remember that that site is only to be accessed using HTTPS on the Max Age (seconds) field. The default value is
31556926
seconds (or 365 days). -
To specify that the rule applies to all of the site's subdomains, click to select the Include Subdomains checkbox.
-