HEADER (Common)
The HEADER
element defines the request and response type communication
carried on the HTTP protocol between web applications, web services and the client.
Syntax
<HEADER Name=id> value-list[
;...]
</HEADER>
- id defines the unique identifier for the HTTP header.
- value-list is a list of values separated by semi-colons.
Child elements
There are no child elements.
Usage
Starting with GAS 3.00, you can set custom HTTP headers for web applications
and web services. This configuration takes place in the HTTP
element of the
INTERFACE_TO_CONNECTOR
element of the GAS configuration file.
Use this element to define customized HTTP headers common to all applications. Configure HTTP
headers for applications using the APPLICATION
element and for web services using
the SERVICE
element.
To configure headers for individual application or web services, see HEADER (Dedicated).
Usage example: Configure security headers
<INTERFACE_TO_CONNECTOR>
...
<HTTP>
<SESSION_COOKIE/>
<APPLICATION>
<HEADER Name="X-XSS-Protection">1; mode=block</HEADER>
<HEADER Name="X-Content-Type-Options">nosniff</HEADER>
<HEADER Name="Strict-Transport-Security">max-age=31536000; includeSubDomains; preload</HEADER>
<!--HEADER Name="X-Frame-Options">SAMEORIGIN</HEADER-->
</APPLICATION>
<SERVICE>
<HEADER/>
</SERVICE>
</HTTP>
</INTERFACE_TO_CONNECTOR>
- The "X-XSS-Protection" header disables the cross-site scripting (XSS) filter built into most web browsers. This is usually enabled by default.
- The "X-Content-Type-Options" header prevents Microsoft® Edge and Google Chrome from sniffing
a response away from the declared content-type. This helps reduce the danger of drive-by or
unintended downloads.Warning:
On Internet Explorer 11, if an image file does not have an extension, use of this header may cause that image not to display. Make sure your image files have extensions if your applications need to serve images through the Genero Application Server (GAS)
- The "Strict-Transport-Security" header defines security for access to the application over HTTP. For more information on the HTTP Strict Transport Security (HSTS) header see the IETF specification
- The "X-Frame-Options" header provides clickjacking protection by not allowing iframes to load on your site.