Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section explains how to minimize the security threats to the Jaggery applications that are hosted within your WSO2 DAS pack. This is achieved via headers that can be embedded in the HTTP responses of these applications.

Table of Contents
maxLevel2
minLevel2

Available headers

The following is a list of headers that need to be enabled to enhance the security aspects of Jaggery Applications.

HeaderPurpose
X-XSS-Protection: 1; mode=blockThis enables reflected XSS protection in supported web browsers.
X-Content-Type-Options: nosniffThis disables mime sniffing that can result in reflected or stored XSS in certain browsers.
Cache-Control: no-store, no-cache, must-revalidate, privateThis prevents sensitive information from being cached in web browsers, proxies and other intermediate network devices.

In addition, the following are headers that need to be enabled based on the requirement of the application. These headers can be customized based on the URL pattern.

HeaderPurpose
X-Frame-Options: DENYThis disables embedding Jaggery apps in iframes or frames.
X-Frame-Options: SAMEORIGINThis allows you to embed Jaggery apps in iframes or frames within the same origin.



Info

The X-Frame-Options header mitigates the clickjacking attacks. Out-of-the-box Jaggery applications need to use the SAMEORIGIN option. The DENY option should not be used because some out-of-the-box dashboards may use framing. If an application that resides outside the origin needs to frame a Jaggery app, then the X-Frame-Options header must  not be returned at all. This must be configured as per application requirement, taking the security risk into consideration.

...