API REFERENCE
USER
- Automation Gateway
- Automation Platform
ADMIN
DEVELOPER
- Automation Platform
- Policy Manager
PRODUCT NOTICES

Itential Automation Platform

HTTPS Security

This guide outlines various security enhancements to the HTTP Headers in Itential Automation Platform (IAP) and why httpOnly was not set on all occurrences.

Default HTTP Response Headers

Header	Syntax	Description
`Access-Control-Allow-Origin`	`*`	Tells the browser to allow code from any origin to access a resource.
`Access-Control-Allow-Headers`	`Origin`, `X-Requested-With`, `Content-Type`, `Accept`	Used in response to a `preflight` request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
`Access-Control-Allow-Methods`	`POST`, `GET`, `DELETE`, `OPTIONS`	Specifies the supported HTTP methods allowed when accessing the resource in response to a `preflight` request.
`X-Frame-Options`	`SAMEORIGIN`	The page can only be displayed in a frame on the same origin as the page itself.
`X-Content-Type-Options`	`nosniff`	A marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
`Strict-Transport-Security`	`max-age=31536000; includeSubDomains; preload`	This response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Additional Headers If cacheControl is Turned On

These are defined in properties.json or expressProps.

Header	Syntax	Description
`Cache-Control`	`Private`, `No-Cache`, `No-Store`, `Must-Revalidate`	Caching directives that can be used by the server in an HTTP response.
`Pragma`	`No-Cache`	Used for backwards compatibility with HTTP/1.0 caches where the `Cache-Control` HTTP/1.1 header is not present.
`Expires`	`0`	This header contains the date/time after which the response is considered stale. Invalid dates (i.e., the value 0), represent a date in the past and means that the resource is already expired.
`If-Modified-Since`	`Mon, 1 Jan 2014 01:00:00 GMT`	This request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304.

Cookies

The Set-Cookie HTTP response header is used to send cookies from the server to the user agent.
Saved on login.
Token used for sessions.

Value	Description
`POST`	HTTP request call to `/login` sets the `httpOnly` flag to `true`.
`httpOnly`	Cookies are not set for public, unauthenticated API calls.
`secure`	Flag is set to `true` when IAP is run over SSL.

FAQs

Service Desk

Developer Hub

On-Demand Webinars

Videos