HEADER
The HEADER
element defines the request and response type communication
carried on the HTTP protocol between Web applications, Web services and the client.
Syntax
<HEADER Name=id> value-list[;...]</HEADER>
- id defines the unique identifier for the HTTP header.
- value-list is a list of values separated by semi-colons.
Child elements
There are no child elements.
Usage
You use this element to define HTTP headers. HTTP headers can be configured for applications
using the APPLICATION
element and for Web services using the
SERVICE
element.
Usage example - configure security headers
To set the HTTP security headers that comply with Open Web Application Security Project (OWASP) recommendations, configure
the following headers shown highlighted in the example:
- The "X-XSS-Protection" header disables the cross-site scripting (XSS) filter built into most web browsers. This is usually enabled by default.
- The "X-Content-Type-Options" header prevents Internet Explorer and Google Chrome from sniffing a
response away from the declared content-type. This helps reduce the danger of drive-by or unintended
downloads.Warning: On Internet Explorer 11, use of this header may cause images not to be displayed if the image files do not have extensions. To work around this, if your applications need to serve images through JGAS, make sure your image files have extensions.
- The "X-Frame-Options" header provides clickjacking protection by not allowing iframes to load on your site.
<INTERFACE>
...
<HTTP>
<SESSION_COOKIE/>
<APPLICATION>
<HEADER Name="X-XSS-Protection">1; mode=block</HEADER>
<HEADER Name="X-Content-Type-Options">nosniff</HEADER>
<HEADER Name="X-Frame-Options">SAMEORIGIN</HEADER>
</APPLICATION>
<SERVICE>
<HEADER/>
</SERVICE>
</HTTP>
</INTERFACE>
Parent elements
This element is a child of the following elements: