Configure Security Response Headers

Introduction

Goal

Configure HTTP response headers that increase the security of your Bloomreach Experience Manager delivery application.

Background

Certain security-related HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. Examples are HTTP Strict-Transport-Security (HSTS) and Content-Security-Policy. See https://www.owasp.org/index.php/OWASP_Secure_Headers_Project for an overview of available headers, browser compatibility, best practices, etc.

This page explains how to configure additional (security) response headers for your delivery application at virtual host, mount, or sitemap item level.

Configure Response Headers

You can configure any additional HTTP header at virtual host, mount, or sitemap item level by setting the multi-valued String property hst:responseheaders on the appropriate node using the Console.

For example, the YAML snippet below:

/hst:hst/hst:hosts/production/com/myproject/www:
  jcr:primaryType: hst:virtualhost
  hst:responseheaders: ['Content-Security-Policy: script-src ''self''', 'Strict-Transport-Security:
      max-age=31536000 ; includeSubDomains']
  /hst:root:
    jcr:primaryType: hst:mount
    hst:homepage: root
    hst:mountpoint: /hst:hst/hst:sites/myproject

configures the following two response headers on the virtual host www.myproject.com (and, implicitly, on all sites mounted under that virtual host):

Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Similarly, the hst:responseheaders property can be set on an individual mount:

/hst:hst/hst:hosts/production/com/myproject/www/hst:root:
  jcr:primaryType: hst:mount
  hst:homepage: root
  hst:mountpoint: /hst:hst/hst:sites/myproject
  hst:responseheaders: ['Content-Security-Policy: script-src ''self''', 'Strict-Transport-Security:
       max-age=31536000 ; includeSubDomains']

Or even on a single sitemap item:

/hst:hst/hst:configurations/myproject/hst:sitemap/news:
  jcr:primaryType: hst:sitemapitem
  hst:componentconfigurationid: hst:pages/newslist
  hst:pagetitle: List of News Items
  hst:relativecontentpath: news
  hst:responseheaders: ['Content-Security-Policy: script-src ''self''', 'Strict-Transport-Security:
      max-age=31536000 ; includeSubDomains']
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?