HTTP Header Security

What is HTTP Header Security?

The HTTP Header Security allows to add security-related headers to the HTTP response body and enables browser-side security mechanisms.

Where to Find?

It is implemented with the help of a servlet filter and enabled by default for the Webapps.

The HTTP Header Security Filter can be configured (or disabled entirely) in the web.xml of the Webapps:

<!-- HTTP Header Security Filter -->
<filter>
  <filter-name>HttpHeaderSecurity</filter-name>
  <filter-class>
    org.camunda.bpm.webapp.impl.security.filter.headersec.HttpHeaderSecurityFilter
  </filter-class>
  
  <init-param>
    <param-name>xssProtectionDisabled</param-name>
    <param-value>false</param-value>                  <!-- default value -->
    
    <param-name>xssProtectionOption</param-name>
    <param-value>BLOCK</param-value>                  <!-- default value -->
  </init-param>
</filter>

<filter-mapping>
  <filter-name>HttpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

How to Configure?

The following table shows the possible configuration options and the default behavior:

Name Attribute Configuration Default
X-XSS-Protection xssProtectionOption The allowed set of values:
  • BLOCK: If the browser detects a cross-site scripting attack, the page is blocked completely
  • SANITIZE: If the browser detects a cross-site scripting attack, the page is sanitized from suspicious parts (value 0)
BLOCK
xssProtectionDisabled The header can be entirely disabled if set to true.
Allowed set of values is true and false.
false
xssProtectionValue A custom value for the header can be specified. 1; mode=block

For further reading on how the XSS protection header works in detail, please see Mozillas MDN Web Docs.

On this Page: