Configuring Header Policies for the Identity Provider
ULTIMATE
Admins can increase security of the Identity Provider by setting up security defenses such as restricting headers.
Configuring Header Policies
As an admin, you can configure accepted headers by the Identity Provider:
To configure the Header Policy, perform the following steps:
Navigate to the Policies page.
Navigate to the Security Defenses tab.
Click on the Edit Button of the Headers Settings Panel.
A dialog will appear. Apply the desired changes and click on the Confirm Button.
Header Settings
The following table gives an overview of available Header Settings:
Option | Description |
|---|---|
X-Frame-Options | Default value prevents pages from being included by non-origin iframes. |
Content-Security-Policy | Default value prevents pages from being included by non-origin iframes. |
Content-Security-Policy-Report-Only | For testing Content Security Policies. |
X-Content-Type-Options | Default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. |
X-Robots-Tag | Prevent pages from appearing in search engines. |
X-XSS-Protection | This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behavior, the browser will prevent rendering of the page when a XSS attack is detected. |
HTTP Strict Transport Security (HSTS) | The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. |