- The JOC Cockpit makes use of HTTP response headers only that are functionally required.
- In addition, a number of security related headers
- should be provided by default.
- should be adjustable by users.
The following response headers are added in ./jetty/etc/jetty-rewrite.xml
- X-Frame-Options: sameorigin
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Content-Security-Policy: default-src 'self'
- Permissions-Policy: accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)
- Referrer-Policy: strict-origin-when-cross-origin
- Strict-Transport-Security: max-age=31536000; includeSubDomains
Find a full sample from the attached file jetty-rewrite.xml
In addition the file ./jetty/start.ini should be added the following setting:
This module will be also added (since release 1.12.3) by calling the script
- To limit response headers for use with client browsers and to exclude them from use with REST clients apply the following pattern to ./jetty/etc/jetty-rewrite.xml:
- The limitation of response headers to be provided for client browsers only becomes available with release 1.13.9