Extension for applying the protection:
You apply protections to your API as strategies by using the
x-42c security extensions, either locally to specific paths, operations, responses, or HTTP status codes, or alternatively to all incoming requests or outgoing responses. For more details, see Protections and security extensions.
The security headers protection adds the following security headers in the response that is sent back to the client:
Strict-Transport-Security: This header tells the client application or browser how long it should remember that the API is only accessible through TLS protocol. You can set the time (in seconds) with the parameter
hsts.max_age. For more details, see RFC 6797.
X-Frame-Options: This header prevents rendering a page in frame and protects from clickjacking. The value is always
denyand not configurable. For more details, see RFC 7034.
X-Content-Type-Options: This header prevents MIME type sniffing. The value is always
nosniffand not configurable. For more details, see the Fetch standard.
X-XSS-Protection: This header stops a page from loading if a reflected cross-site scripting (XSS) attack is detected. The value is always
1; mode=blockand not configurable. For more details, see OWASP Secure Headers Project.
Content-Security-Policy: This header controls the resources that a client can fetch or execute. You can define all parameters for this header to match the content security policy you want to use. The default policy is
default-src: ‘self’; upgrade-insecure-requests; referrer no-referrerwhich indicates that the resources can only be loaded from the location of the API, imposes the TLS protocol on all requests, and prevents sending referrer information to the API. For more details, see Content Security Policy Level 2.
This protection also removes a specific set of headers added by development framework or web servers that could reveal internal information that should not be publicly available. The parameter
remove.headers is a JSON array of header names that API Firewall removes from responses sent to client applications. By default, the removed headers are those that Microsoft ASP.Net framework adds (
The security headers protection provides two different operation modes:
add-only: API Firewall adds only the headers missing from the response that the backend sent. This way, the protection does not override the headers that the backend service set.
add-replace: API Firewall adds all the headers. The headers already present in the response that the backend sent are replaced with the headers from the protection.
Use the parameter
mode to specify which mode API Firewall uses.
This protection applies only to outgoing responses.
You can configure the following optional parameters:
||The maximum age of the header
||The content security policy for the header
||Headers to be removed from the response send back to the client. The default value is
||The operation mode of this protection. The possible values are
responses: 200: # ... x-42c-local-strategy: x-42c-strategy: protections: - x-42c-security-headers_0.1: hsts.max_age: 7200 csp.policy: "default-src: 'self'; upgrade-insecure-requests; block-all-mixed-content" mode: add-replace # ...