This guide outlines various security enhancements to the HTTP Headers in Itential Automation Platform (IAP) and why httpOnly was not set on all occurrences.
Default HTTP Response Headers
| Header | Syntax | Description |
|---|---|---|
Access-Control-Allow-Origin |
* |
Tells the browser to allow code from any origin to access a resource. See Configurable Headers below. |
Access-Control-Allow-Headers |
Origin, X-Requested-With, Content-Type, Accept |
Used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. |
Access-Control-Allow-Methods |
POST, GET, DELETE, OPTIONS |
Specifies the supported HTTP methods allowed when accessing the resource in response to a preflight request. |
X-Frame-Options |
SAMEORIGIN |
The page can only be displayed in a frame on the same origin as the page itself. |
X-Content-Type-Options |
nosniff |
A marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. |
Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload |
This response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. |
Configurable Headers
Currently, the Access-Control-Allow-Origin header is configurable within an IAP profile. It can be set within the expressProps under a property called access_control_allow_origin. When this is set to a value different from the default of * it will also add Origin to the Vary header.
Additional Headers If cacheControl is Turned On
These are defined in properties.json or expressProps.
| Header | Syntax | Description |
|---|---|---|
Cache-Control |
Private, No-Cache, No-Store, Must-Revalidate |
Caching directives that can be used by the server in an HTTP response. |
Pragma |
No-Cache |
Used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not present. |
Expires |
0 |
This header contains the date/time after which the response is considered stale. Invalid dates (i.e., the value 0), represent a date in the past and means that the resource is already expired. |
If-Modified-Since |
Mon, 1 Jan 2014 01:00:00 GMT |
This request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304. |
Cookies
- The
Set-CookieHTTP response header is used to send cookies from the server to the user agent. - Saved on login.
- Token used for sessions.
| Value | Description |
|---|---|
POST |
HTTP request call to /login sets the httpOnly flag to true. |
httpOnly |
Cookies are not set for public, unauthenticated API calls. |
secure |
Flag is set to true when IAP is run over SSL. |