HTTP Security Policy
Plugin
{
"groupId": "io.apiman.plugins",
"artifactId": "apiman-plugins-http-security-policy",
"version": "3.2.0-SNAPSHOT"
}
Configuration
Option | Type | Description | Default |
---|---|---|---|
frameOptions |
Enum [DENY, SAMEORIGIN, DISABLED] |
Frame Options Defines if, or how, a resource should be displayed in a frame, iframe or object. |
DISABLED |
xssProtection |
Enum [OFF, ON, BLOCK, DISABLED] |
XSS Protection Enable or disable XSS filtering in the UA. |
DISABLED |
contentTypeOptions |
Boolean |
X-Content-Type-Options Prevent MIME-sniffing to any type other than the declared Content-Type. |
false |
hsts |
HTTP Strict Transport Security Configure HSTS. |
None |
|
contentSecurityPolicy |
Content Security Policy CSP definition. |
None |
hsts
Option | Type | Description | Default |
---|---|---|---|
enabled |
Boolean |
HSTS Enable HTTP Strict Transport |
false |
includeSubdomains |
Boolean |
Include subdomains |
false |
maxAge |
Integer |
Maximum age Delta seconds user agents should cache HSTS status for |
0 |
preload |
Boolean |
Enable HSTS preloading Flag to verify HSTS preload status. Popular browsers contain a hard-coded (pinned) list of domains and certificates, which they always connect securely with. This mitigates a wide range of identity and MIITM attacks, and is particularly useful for high-profile domains. Users must submit a request for their domain to be included in the scheme. |
false |
contentSecurityPolicy (Content Security Policy)
Option | Type | Description | Default |
---|---|---|---|
mode |
Enum [ENABLED, REPORT_ONLY, DISABLED] |
CSP Mode Which content security policy mode to use. |
DISABLED |
csp |
String |
Content Security Policy A valid CSP definition to apply |
Empty string |
Sample Configuration
{
"contentSecurityPolicy" : {
"mode" : "REPORT_ONLY",
"csp" : "default-src none; script-src self; connect-src self; img-src self; style-src self;"
},
"frameOptions" : "SAMEORIGIN",
"contentTypeOptions" : true,
"hsts" : {
"includeSubdomains" : true,
"preload" : false,
"enabled" : true,
"maxAge" : 9001
},
"xssProtection" : "ON"
}