Configuring HTTP security headers

Configuring HTTP security headers - Latest

Spectrum Spatial Guide

Product type

Software

Portfolio

Locate

Product family

Spectrum™ software

Product

Spectrum™ software > Spatial > Spectrum Spatial

Version

Latest

ft:locale

en-US

Product name

Spectrum Technology Platform

ft:title

Spectrum Spatial Guide

2025

First publish date

2007

ft:lastEdition

2025-03-07

ft:lastPublication

2025-03-07T10:28:48.112000

Security headers are directives used by web applications to configure the security defenses in web browsers. Because of these directives, browsers are empowered to make it difficult to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking.

Enabling suitable security headers on the server-side improves the resilience of the web application against many common cyber-attacks. Headers can also be used to configure the browser to only allow valid TLS communication.

In Spectrum Spatial Analyst, the web.xml file contains the elements to configure and customize the security defenses in the web browsers. For a default Spectrum Spatial Analyst installation, the web.xml file can be found under: <Install_Dir>\Tomcat\AnalystConnect\webapps\connect\WEB-INF\web.xml.

You can configure the following policies to customize the security headers.

Customizable security headers

Permissions-Policy
Strict-Transport-Security Policy
Referrer-Policy

Configure the Permissions-Policy

Open the web.xml file in a text editor like notepad ++.
Note: It is recommended to take a backup of the web.xml file before editing the information in it.

After you have opened the web.xml file, scroll to the http-header-security-filter entry.

<filter>
	<filter-name>http-header-security-filter</filter-name>
	<filter-class>com.pb.stratus.filter.HttpHeaderSecurityFilter</filter-class>
	<init-param>
		<param-name>Permissions-Policy</param-name>
		<param-value>accelerometer=(), geolocation=(), camera=(), encrypted-media=(), fullscreen=(), gyroscope=(), magnetometer=(), sync-xhr=()</param-value>
	</init-param>
</filter>

Edit the parameter value of Permissions-Policy as required.
Save the web.xml file.
Restart the Analyst Connect service.

Configure the Strict-Transport-Security Policy

Open the web.xml file in a text editor like notepad ++.

After you have opened the web.xml file, scroll to the HeaderSecurityFilter entry.

<filter>
	<filter-name>HeaderSecurityFilter</filter-name>
	<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
	<init-param>
			<param-name>hstsEnabled</param-name>
			<param-value>true</param-value>
	</init-param>
	<init-param>
			<param-name>hstsMaxAgeSeconds</param-name>
			<param-value>31536000</param-value>
	</init-param>
	<init-param>
			<param-name>hstsIncludeSubDomains</param-name>
			<param-value>true</param-value>
	</init-param>
	<init-param>
			<param-name>hstsPreload</param-name>
			<param-value>false</param-value>
	</init-param>
	<init-param>
			<param-name>antiClickJackingEnabled</param-name>
			<param-value>true</param-value>
	</init-param>
	<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>SAMEORIGIN</param-value>
	</init-param>        
	<init-param>
			<param-name>blockContentTypeSniffingEnabled</param-name>
			<param-value>true</param-value>
	</init-param>
	<init-param>
			<param-name>xssProtectionEnabled</param-name>
			<param-value>true</param-value>
	</init-param>
</filter>

Edit the parameter value as required with reference to the table provided below.
Save the web.xml file.
Restart the Analyst Connect service.

Attribute	Description
`hstsEnabled`	Will an HTTP Strict Transport Security (HSTS) header (`Strict-Transport-Security`) be set on the response for secure requests. Any HSTS header already present will be replaced.
`hstsMaxAgeSeconds`	The max age value that should be used in the HSTS header. Negative values will be treated as zero. If not specified, the default value of `0` will be used.
`hstsIncludeSubDomains`	Should the includeSubDomains parameter be included in the HSTS header. If not specified, the default value of `false` will be used.
`hstsPreload`	Should the preload parameter be included in the HSTS header. If not specified, the default value of `false` will be used.
`antiClickJackingEnabled`	Should the anti click-jacking header (`X-Frame-Options`) be set on the response. Any anti click-jacking header already present will be replaced. If not specified, the default value of `true` will be used.
`antiClickJackingOption`	What value should be used for the anticlick-jacking header? Must be one of `DENY`, `SAMEORIGIN`, `ALLOW-FROM` (case-insensitive). If not specified, the default value of `DENY` will be used.
`antiClickJackingUri`	If ALLOW-FROM is used for antiClickJackingOption, what URI should be allowed? If not specified, the default value of an empty string will be used.
`blockContentTypeSniffingEnabled`	Should the header that blocks content type sniffing (`X-Content-Type-Options`) be set on every response. If already present, the header will be replaced. If not specified, the default value of `true` will be used.
`xssProtectionEnabled`	Should the header that enables the browser's cross-site scripting filter protection `X-XSS-Protection: 1; mode=block` be set on every response. If already present, the header will be replaced. If not specified, the default value of `true` will be used.

Configure the Referrer-Policy

Open the index.html file in a text editor like notepad ++. The index.html file can be found under: <Install_Dir>\Tomcat\AnalystConnect\webapps\connect\mobile.
After you have opened the index.html file, scroll to the meta tag with name="referrer".
Edit the parameter value as required.
Reload the Analyst application in the browser.