Security headers

Extension for applying the protection: x-42c-security-headers_0.1

You apply protections to your API as strategies by using the x-42c security extensions, either locally to specific paths, operations, responses, or HTTP status codes, or alternatively to all incoming requests or outgoing responses. For more details, see Protections and security extensions.

Description

The security headers protection adds the following security headers in the response that is sent back to the client:

  • Strict-Transport-Security: This header tells the client application or browser how long it should remember that the API is only accessible through TLS protocol. You can set the time (in seconds) with the parameter hsts.max_age. For more details, see RFC 6797.
  • X-Frame-Options: This header prevents rendering a page in frame and protects from clickjacking. The value is always deny and not configurable. For more details, see RFC 7034.
  • X-Content-Type-Options: This header prevents MIME type sniffing. The value is always nosniff and not configurable. For more details, see the Fetch standard.
  • X-XSS-Protection: This header stops a page from loading if a reflected cross-site scripting (XSS) attack is detected. The value is always 1; mode=block and not configurable. For more details, see OWASP Secure Headers Project.
  • Content-Security-Policy: This header controls the resources that a client can fetch or execute. You can define all parameters for this header to match the content security policy you want to use. The default policy is default-src: ‘self’; upgrade-insecure-requests; referrer no-referrer which indicates that the resources can only be loaded from the location of the API, imposes the TLS protocol on all requests, and prevents sending referrer information to the API. For more details, see Content Security Policy Level 2.

This protection also removes a specific set of headers added by development framework or web servers that could reveal internal information that should not be publicly available. The parameter remove.headers is a JSON array of header names that API Firewall removes from responses sent to client applications. By default, the removed headers are those that Microsoft ASP.Net framework adds (X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version).

The security headers protection provides two different operation modes:

  • add-only: API Firewall adds only the headers missing from the response that the backend sent. This way, the protection does not override the headers that the backend service set.
  • add-replace: API Firewall adds all the headers. The headers already present in the response that the backend sent are replaced with the headers from the protection.

Use the parameter mode to specify which mode API Firewall uses.

Direction

This protection applies only to outgoing responses.

Parameters

You can configure the following optional parameters:

Parameter name Description
hsts.max_age The maximum age of the header Strict-Transport-Security (in seconds). The default value is 3600.
csp.policy The content security policy for the header Content-Security-Policy that controls the resources that a client can fetch or execute. The default value is default-src: 'self'; upgrade-insecure-requests; referrer no-referrer.
remove.headers Headers to be removed from the response send back to the client. The default value is X-Powered-By,X-AspNet-Version,X-AspNetMvc-Version.
mode The operation mode of this protection. The possible values are add-only (default) and add-replace.

Example

responses:
    200: 
        # ...            
        x-42c-local-strategy: 
            x-42c-strategy:
                protections:
                    - x-42c-security-headers_0.1: 
                        hsts.max_age: 7200
                        csp.policy: "default-src: 'self'; upgrade-insecure-requests; block-all-mixed-content"
                        mode: add-replace
                    # ...