Configure Security Response Headers
Introduction
Goal
Configure HTTP response headers that increase the security of your Bloomreach Experience Manager delivery application.
Background
Certain security-related HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. Examples are Strict-Transport-Security and Content-Security-Policy. See https://www.owasp.org/index.php/OWASP_Secure_Headers_Project for an overview of available headers, browser compatibility, best practices, etc.
This page explains how to configure additional (security) response headers for your delivery application at virtual host, mount, or sitemap item level.
Configure Response Headers
You can configure any additional HTTP header at virtual host, mount, or sitemap item level by setting the multi-valued String property hst:responseheaders on the appropriate node using the Console.
For example, the YAML snippet below:
/hst:hst/hst:hosts/production/com/myproject/www: jcr:primaryType: hst:virtualhost hst:responseheaders: ['Content-Security-Policy: script-src ''self''', 'Strict-Transport-Security: max-age=31536000 ; includeSubDomains'] /hst:root: jcr:primaryType: hst:mount hst:homepage: root hst:mountpoint: /hst:hst/hst:sites/myproject
configures the following two response headers on the virtual host www.myproject.com (and, implicitly, on all sites mounted under that virtual host):
Content-Security-Policy: script-src 'self' Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Similarly, the hst:responseheaders property can be set on an individual mount:
/hst:hst/hst:hosts/production/com/myproject/www/hst:root: jcr:primaryType: hst:mount hst:homepage: root hst:mountpoint: /hst:hst/hst:sites/myproject hst:responseheaders: ['Content-Security-Policy: script-src ''self''', 'Strict-Transport-Security: max-age=31536000 ; includeSubDomains']
Or even on a single sitemap item:
/hst:hst/hst:configurations/myproject/hst:sitemap/news: jcr:primaryType: hst:sitemapitem hst:componentconfigurationid: hst:pages/newslist hst:pagetitle: List of News Items hst:relativecontentpath: news hst:responseheaders: ['Content-Security-Policy: script-src ''self''', 'Strict-Transport-Security: max-age=31536000 ; includeSubDomains']