Recommended HTTP response headers

This page lists recommended HTTP response headers that improve the security of Caplin FX Mobile.

For guidance on setting HTTP headers, see Setting HTTP response headers.

X-Frame-Options

The X-Frame-Options response header can be used to indicate that a web page should not render in a <frame>, <iframe>, <embed>, or <object> element. This header helps prevent clickjacking attacks. For more information, see the OWASP Clickjacking Defence Cheat Sheet.

Recommended value
X-Frame-Options: deny

Content-Security-Policy

The Content-Security-Policy response header allows system administrators to control the resources the browser is allowed to load for a given page. For more information, see the OWASP Content Security Policy Cheat Sheet.

Caplin recommend you set the following value for the Content-Security-Policy HTTP header, substituting appropriate values for <primary-liberator-server>, <primary-liberator-port>, <secondary-liberator-server>, and <secondary-liberator-port>.

Recommended value
Content-Security-Policy: frame-ancestors 'none'; default-src 'self'; script-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; style-src blob: 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' blob: wss://<primary-liberator-server>:<primary-liberator-port>/ https://<primary-liberator-server>:<primary-liberator-port>/ wss://<secondary-liberator-server>:<secondary-liberator-port>/ https://<secondary-liberator-server>:<secondary-liberator-port>/; worker-src blob: 'self'; frame-src blob: 'self' https://<primary-liberator-server>:<primary-liberator-port>/ https://<secondary-liberator-server>:<secondary-liberator-port>/;

Strict-Transport-Security

The Strict-Transport-Security response header can be used to indicate to browsers that a given website should only be accessed via HTTPS. For more information, see the OWASP HTTP Strict Transport Security Cheat Sheet.

Recommended value
Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options

The X-Content-Type-Options response HTTP header can be used to disable MIME-type detection ('sniffing') in web browsers. When MIME-type detection is permitted, a browser may ignore the declared MIME type of a resource in the Content-Type header if the browser detects executable content in the resource.

Recommended value
X-Content-Type-Options: nosniff

X-XSS-Protection

The X-XSS-Protection response HTTP header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Recommended value
X-XSS-Protection: 1; mode=block

Referrer-Policy

The Referrer-Policy response HTTP header prevents possible leaking of information in the Referer HTTP header.

Note the difference in spelling of 'referrer' in the headers Referrer-Policy and Referer. The older Referer header is a misspelling of 'referrer'.
Recommended value
Referrer-Policy: same-origin

Feature-Policy

The Feature-Policy response HTTP restricts the web application’s access to browser features not used by the application, which reduces the attack surface if the web application is compromised.

Recommended value
Feature-Policy: ambient-light-sensor 'none'; autoplay 'none'; accelerometer 'none'; camera 'none'; display-capture 'none'; document-domain 'self'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'self'; sync-xhr 'self'; usb 'none'; wake-lock 'none'; webauthn 'none'; vr 'none'; xr-spatial-tracking 'none'

Expect-CT

The Expect-CT response HTTP header enforces Certificate Transparency (CT) in web browsers. When CT is enforced, the browser rejects a TLS certificate for your website if it does not contain valid signed certificate timestamps (SCTs) from valid CT logs. This prevents the browser from subsequently accepting certificates for your website that have been issued 'off-the-record' by the public-key infrastructure (PKI) of a compromised certificate authority (CA).

Recommended value
Expect-CT: enforce, max-age=172800

Cache-Control

The Cache-Control HTTP header can be used to prevent browsers from caching web application resources to disk.

Recommended value
Cache-Control: no-store