This section outlines various security enhancements to the HTTP Headers in Itential Automation Platform (IAP) and why httpOnly was not set on all occurrences.
| Syntax |
Description |
| Access-Control-Allow-Origin |
* |
Tells the browser to allow code from any origin to access a resource. |
| Access-Control-Allow-Headers |
Origin, X-Requested-With, Content-Type, Accept |
Used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. |
| Access-Control-Allow-Methods |
POST, GET, DELETE, OPTIONS |
Specifies the supported HTTP methods allowed when accessing the resource in response to a preflight request. |
| X-Frame-Options |
SAMEORIGIN |
The page can only be displayed in a frame on the same origin as the page itself. |
| X-Content-Type-Options |
nosniff |
A marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. |
| Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload |
The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. |
These are defined in properties.json / expressProps.
| Syntax |
Description |
| Cache-Control |
Private, No-Cache, No-Store, Must-Revalidate |
Caching directives that can be used by the server in an HTTP response. |
| Pragma |
No-Cache |
Used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not present. |
| Expires |
0 |
The Expires header contains the date/time after which the response is considered stale. Invalid dates (i.e., the value 0), represent a date in the past and means that the resource is already expired. |
| If-Modified-Since |
Mon, 1 Jan 2014 01:00:00 GMT |
The If-Modified-Since request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304. |
Cookies
- The Set-Cookie HTTP response header is used to send cookies from the server to the user agent.
- Saved on login.
- Token used for sessions.
| Value |
Description |
| POST |
HTTP request call to /login sets httpOnly flag to true. |
| httpOnly |
Cookies are not set for public, unauthenticated API calls. |
| secure |
Flag is set to true when IAP is run over SSL. |
