HEADER (Common)

The HEADER element defines the request and response type communication carried on the HTTP protocol between web applications, web services and the client.

Syntax

<HEADER [ Method=http-method[,...] ]
        Name="header-name">header-value[;...] </HEADER>
  1. Method is an optional attribute. When set, the header is added in responses to requests for the HTTP operations listed. If the Method attribute is not specified, the header applies to all HTTP methods (the default behavior).
  2. http-method must contain values that correspond to valid HTTP operations, such as GET, OPTIONS, and so on. This attribute can take a comma-separated list of HTTP operations.
  3. header-name defines the unique identifier for the HTTP header.
  4. header-value is a value for the header. This attribute can take a semicolon-separated list of values.

Child elements

There are no child elements.

Usage

Use this element to define customized HTTP headers common to all applications or services. Configure HTTP headers for applications using the APPLICATION element and for web services using the SERVICE element.

Usage example: Configure security headers

To set the HTTP security headers that comply with Open Web Application Security Project (OWASP) recommendations, configure the headers highlighted in the example:
<INTERFACE>
     ...
    <HTTP>
      <SESSION_COOKIE/>
      <APPLICATION>
        <HEADER Name="X-XSS-Protection">1; mode=block</HEADER>
        <HEADER Name="X-Content-Type-Options">nosniff</HEADER>
        <HEADER Name="Strict-Transport-Security">max-age=31536000; includeSubDomains; preload</HEADER>
         <!--HEADER Name="X-Frame-Options">SAMEORIGIN</HEADER-->
      </APPLICATION>
      <SERVICE>
        <HEADER/>
      </SERVICE>
    </HTTP>
  </INTERFACE>
  • The "X-XSS-Protection" header disables the cross-site scripting (XSS) filter built into most web browsers. This is usually enabled by default.
  • The "X-Content-Type-Options" header prevents Microsoft® Edge and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by or unintended downloads.
    Warning:

    On Internet Explorer 11, if an image file does not have an extension, use of this header may cause that image not to display. Make sure your image files have extensions if your applications need to serve images through the JGAS

  • The "Strict-Transport-Security" header defines security for access to the application over HTTP. For more information on the HTTP Strict Transport Security (HSTS) header see the IETF specification
  • The "X-Frame-Options" header provides clickjacking protection by not allowing iframes to load on your site.

Parent elements

This element is a child of the following elements: