Knowledgebase:

Gateway HTTP Headers and Configuration

Posted by Paul Scott, Last modified by Paul Scott on 01/29/2020 04:36 PM
As of Ignition 8.0.8, several new security focused changes were made to HTTP responses. First, the gateway no longer sets the Server header on HTTP responses in an effort to prevent potential information leakage. Second, a significant set of gateway security headers are now set with secure default values. However, we did want to offer the opportunity to change the values of these headers. 

The default values for these headers should be appropriate for most installations. However you may need to make changes to the headers in some cases. For example, if you're embedding a perspective session inside of a web based application from another origin, and that stops working after upgrading to 8.0.8+, then it's possible you may need to modify the X-Frame-Options header. 

Headers and Values

Each header has separate properties responsible for enabling/disabling the header

HTTP Header Enabled System Property Enabled by Default
Referrer-Policy
ignition.http.header.referrer_policy.enabled
true
X-Content-Type-Options
ignition.http.header.x_content_type_options.enabled
true
X-Frame-Options
ignition.http.header.x_frame_options.enabled
true
X-XSS-Protection
ignition.http.header.x_xss_protection.enabled
true


In addition, each header has a property to determine the value for the header. 

HTTP Header Value System Property Default Value
Referrer-Policy
ignition.http.header.referrer_policy.value
strict-origin-when-cross-origin
X-Content-Type-Options
ignition.http.header.x_content_type_options.value
nosniff
X-Frame-Options
ignition.http.header.x_frame_options.value
SAMEORIGIN
X-XSS-Protection
ignition.http.header.x_xss_protection.value
1; mode=block

Strict Transport Security

In addition to the headers defined above, Strict-Transport-Security can be enabled (normally it is disabled). Enabling this header can be accomplished by including the Max Age property. 

Max Age
Represents the number of seconds that the browser should remember that a site is only to be accessed using HTTPS. Setting this to a number less than zero will disable the header altogether. 

Example:
ignition.https.sts.maxAge=5000 

Include Sub Domains
Determines if sub domains should be included. By default is set to false

Example:
ignition.https.sts.includeSubDomains=true/false

Making changes

These changes can be made while the gateway is running, but will require a gateway restart to take effect. 

1) Locate the ignition.conf file

On the gateway server, navigate to the Ignition installation directory.

In the installation directory, navigate to "data", and there should be a file named ignition.conf. Open this file in the text editor of your choice. (Note: you may want to create a copy of this file and save it elsewhere, just in case you need to revert any changes made).

2) Search the file for "Java Additional Parameters"

Search the file for the "Java Additional Parameters" line. It should look something like the following:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug

Under this area is where we'll add new parameters. Lines with a "#" character are commented out, and can be ignored. 

3) Make the Change

You'll want to make sure you increment the numeral on each parameter, ignoring commented lines. 

In addition, you will need to add a "-D" before the name of the property. For example, we could modify the example above to change the referrer policy:

# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=same-origin

We can continue to add new lines to make more configuration changes:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=same-origin
wrapper.java.additional.3=-Dignition.http.header.x_xss_protection.enabled=false

If we needed to enable Strict-Transport-Security, we would update our example to the following:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=same-origin
wrapper.java.additional.3=-Dignition.http.header.x_xss_protection.enabled=false
wrapper.java.additional.4=-Dignition.https.sts.maxAge=50000
wrapper.java.additional.5=-Dignition.https.sts.includeSubDomains=true

4) Save and Restart

Once all of the desired options have been configured, save the ignition.conf file, and restart the gateway. That's it! Your gateway should be using the new configurations once it has started.
(0 vote(s))
Helpful
Not helpful