Configuring Header Policies for the Identity Provider
ULTIMATE
Feature Deprecation
Please note that the Policies feature, including Header Policy configuration, was deprecated in qibb v1.43.0 and will be removed in qibb v1.45.0.
Functionality will be replaced by a custom configuration request via our service desk (Ultimate subscription required). Ultimate customers can request login and policy configuration through a support ticket. Otherwise, default configuration will apply based on industry best practices.
Admins can increase security of the Identity Provider by setting up security defenses such as restricting headers.
Header Settings
The following table gives an overview of available Header Settings:
Option | Description |
|---|---|
X-Frame-Options | Default value prevents pages from being included by non-origin iframes. |
Content-Security-Policy | Default value prevents pages from being included by non-origin iframes. |
Content-Security-Policy-Report-Only | For testing Content Security Policies. |
X-Content-Type-Options | Default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. |
X-Robots-Tag | Prevent pages from appearing in search engines. |
X-XSS-Protection | This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behavior, the browser will prevent rendering of the page when a XSS attack is detected. |
HTTP Strict Transport Security (HSTS) | The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. |