HTTP Security Policy

Description

Security-related HTTP headers can be set, such as HSTS, CSP and XSS protection.

Plugin

{
    "groupId": "io.apiman.plugins",
    "artifactId": "apiman-plugins-http-security-policy",
    "version": "3.0.0.Final"
}

Configuration

Table 1. HTTP security policy configuration
Option Type Description Default

frameOptions

Enum [DENY, SAMEORIGIN, DISABLED]

Frame Options Defines if, or how, a resource should be displayed in a frame, iframe or object.

DISABLED

xssProtection

Enum [OFF, ON, BLOCK, DISABLED]

XSS Protection Enable or disable XSS filtering in the UA.

DISABLED

contentTypeOptions

Boolean

X-Content-Type-Options Prevent MIME-sniffing to any type other than the declared Content-Type.

false

hsts

hsts

HTTP Strict Transport Security Configure HSTS.

None

contentSecurityPolicy

contentSecurityPolicy

Content Security Policy CSP definition.

None

hsts

Table 2. HTTP Strict Transport Security (hsts): Enforce transport security when using HTTP to mitigate a range of common web vulnerabilities.
Option Type Description Default

enabled

Boolean

HSTS Enable HTTP Strict Transport

false

includeSubdomains

Boolean

Include subdomains

false

maxAge

Integer

Maximum age Delta seconds user agents should cache HSTS status for

0

preload

Boolean

Enable HSTS preloading Flag to verify HSTS preload status. Popular browsers contain a hard-coded (pinned) list of domains and certificates, which they always connect securely with. This mitigates a wide range of identity and MIITM attacks, and is particularly useful for high-profile domains. Users must submit a request for their domain to be included in the scheme.

false

contentSecurityPolicy (Content Security Policy)

Table 3. CSP (contentSecurityPolicy): A sophisticated mechanism to precisely define the types and sources of content that may be loaded, with violation reporting and the ability to restrict the availability and scope of many security-sensitive features
Option Type Description Default

mode

Enum [ENABLED, REPORT_ONLY, DISABLED]

CSP Mode Which content security policy mode to use.

DISABLED

csp

String

Content Security Policy A valid CSP definition to apply

Empty string

Sample Configuration

{
   "contentSecurityPolicy" : {
      "mode" : "REPORT_ONLY",
      "csp" : "default-src none; script-src self; connect-src self; img-src self; style-src self;"
   },
   "frameOptions" : "SAMEORIGIN",
   "contentTypeOptions" : true,
   "hsts" : {
      "includeSubdomains" : true,
      "preload" : false,
      "enabled" : true,
      "maxAge" : 9001
   },
   "xssProtection" : "ON"
}