- 21 Feb 2024
- 8 Minutes to read
- Print
- DarkLight
Web Security Configuration
- Updated on 21 Feb 2024
- 8 Minutes to read
- Print
- DarkLight
Web Security Configuration in RapidIdentity
Web Security Configuration options instruct RapidIdentity to include various HTTP Response Headers such as X-Frame-Options, Content-Security-Policy and Strict-Transport-Security to prevent browser-based vulnerabilities and protect against malicious attacks.
To configure the Web Security Configuration in RapidIdentity, as a Tenant or System Administrator, navigate to Configuration > General > Settings > Web Security
XFrame Options
X-Frame Options can be used to indicate whether a browser should be allowed to embed the web page in another page. These options can be used to avoid click-jacking attacks by ensuring that their content is not embedded into other sites.
For each rule, define a Path Regex (Path Regular Expression) and provide it with a Value. Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, then the server's response will contain the X-Frame-Options header value defined for that path.
The default RapidIdentity settings define XFrame Options Header Rules for the Claim My Account, Forgot My Password, and Expired Password functionalities. Others may be added if desired.
RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.
Path Regex is a Java regular expression meant to match against a particular HTTP request URI path made against the server. For instance, a value of "/portal/." will match all requests to "/portal/" and requests to sub paths of "/portal/". A pathRegex value of "." will match ALL HTTP requests to the RapidIdentity server.
Value is a choice of three options to define what the browser does with the content found through the Path Regex. Options are as follows:
- SAMEORIGIN: The page will be displayed in a frame on the same origin as the page itself.
- DENY: The page will not be displayed in a frame.
- ALLOW-FROM <uri>: The page will be displayed in a frame on the specified origin. Example: allow-from https://www.example.com.
For more information on XFrame Options visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Content Security Policy
Content Security Policy (CSP) helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement, to malware distribution.
For each rule, define a Path Regex (Path Regular Expression) and provide it with one or more Values. (This is the only header option that accepts multiple values.) Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, the server's response will contain the Content-Security-Policy header values defined for that path. RapidIdentity ships with some defaults already set for base functionality.
The default RapidIdentity settings define Content Security Policy Header Rules for the Claim My Account, Forgot My Password, and Expired Password functionalities. Others may be added as desired. New values may also be added to existing rules by clicking Add within the rule box and adding a new value for that rule.
RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.
Path Regex is a Java regular expression meant to match against a particular HTTP request URI path made against the server. For instance, a value of "/portal/." will match all requests to "/portal/" and requests to sub paths of "/portal/". A pathRegex value of "." will match ALL HTTP requests to the RapidIdentity server.
Value is a choice of options to define the source for the determined policy. This can be one of the following:
- <host-source>: Internet hosts by name or IP address. May include a URL scheme and/or port number if desired. Asterisks may be used as wild cards for leading URLs or defining ports. Examples of this source include http://*.example.com, mail.example.com:443, https://store.example.com, etc.
- <scheme-source>: A scheme such as http: or https:. The colon is required, and the scheme should not be quoted. Data schemes can be specified, but this is not recommended.
- 'self': This refers to the origin from which the protected content is being served, which includes the URL scheme and port number. Single quotes must be included.
For more information on Content Security Policy (CSP) visit https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Strict Transport Security
Strict Transport Security informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
The default RapidIdentity settings do not define any Strict Transport Security Header Rules, allowing browsers to access each portion of the domain via HTTP. To modify the existing rule or add a new one, click the Header Enabled checkbox at the top of the menu and provide a value for the existing rule or add a new rule.
RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.
For each rule, define a Path Regex (Path Regular Expression) and provide it with a Value. Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, the server's response will contain the Strict-Transport-Security header value defined for that path.
Path Regex is a Java regular expression meant to match against a particular HTTP request URI path made against the server. For instance, a value of "/portal/." will match all requests to "/portal/" and requests to sub paths of "/portal/". A pathRegex value of "." will match ALL HTTP requests to the RapidIdentity server.
Value is a choice of directives to provide the browser with instructions regarding the content found through the Path Regex. Directives include:
- max-age=<expire-time>: Defines the number of seconds that the browser should remember to only access the site via HTTPS.
- includeSubDomains: An optional parameter that applies to all of the site's subdomains as well.
- preload: An optional parameter that includes certification through various browsers' HTTP Strict Transport Security (HSTS) Preload Lists.
For more information on Strict Transport Security (HSTS) visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Referrer Policy
The Referrer Policy controls the information to be sent with the Referer header.
RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.
Path Regex is a Java regular expression meant to match against a particular HTTP request URI path made against the server. For instance, a value of "/portal/." will match all requests to "/portal/" and requests to sub paths of "/portal/". A pathRegex value of "." will match ALL HTTP requests to the RapidIdentity server.
Value is a choice of directives to provide the browser with instructions regarding the information to be included with requests to the Path Regex. Directives include:
- no-referrer: The Referer header will be omitted, sent requests do not include any referrer information.
- no-referrer-when-downgrade: Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS) but don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file)
- origin: Send only the origin in the Referer header ie: a document at https://example.com/page.html will send the referrer https://example.com/
- origin-when-cross-origin: When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string but send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP)
- same-origin: Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests
- strict-origin: Send only the origin when the protocol security level stays the same (HTTPS→HTTPS) but don't send the
Referer
header to less secure destinations (HTTPS→HTTP) - strict-origin-when-cross-origin: Send the origin, path, and querystring when performing a same-origin request; for cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS) but don't send the Referer header to less secure destinations (HTTPS→HTTP)
- unsafe-url: Send the origin, path, and query string when performing any request, regardless of security
For more information on the Referrer Policy visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Permissions Policy
The Permissions Policy is a mechanism used to allow and deny the use of browser features in a document or within any <iframe> elements in the document.
RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.
Path Regex is a Java regular expression meant to match against a particular HTTP request URI path made against the server. For instance, a value of "/portal/." will match all requests to "/portal/" and requests to sub paths of "/portal/". A pathRegex value of "." will match ALL HTTP requests to the RapidIdentity server.
Value is a set of directives that allow or deny the use of browser features in a document or within any <iframe> elements in the document
For more information on the Permissions Policy visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
XContentType Options
XContentType Options prevent the browser from doing MIME-type sniffing which occurs when the browser tries to guess the type of content based on its content, rather than relying on the server-provided Content-Type header2 which can lead to some security issues, such as executing malicious scripts or loading unauthorized resources.
RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.
Path Regex is a Java regular expression meant to match against a particular HTTP request URI path made against the server. For instance, a value of "/portal/." will match all requests to "/portal/" and requests to sub paths of "/portal/". A pathRegex value of "." will match ALL HTTP requests to the RapidIdentity server.
Value nosniff provides a set of directives that blocks a request if the request destination is of the type style and the MIME type is not text/css, or of the type script and the MIME type is not a JavaScript MIME type.
For more information on XContentType Options visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options