Security Headers

HTTP security headers provide browsers with instructions about communicating with the website to mitigate malicious attacks.

DivePort content security policy options can be customized in the portaldb.json file. However DI recommends that you use the following default security settings:

NOTE: No action is required to use the following security settings.

Strict-Transport-Security

This heading forces the browser to use secure HTTPS (even when a user requests an HTTP connection) after the first successful HTTPS connection.

Syntax: "http.strict-transport-security": "max-age=<expire-time>"

Where, <expire-time> is the amount of time, in seconds, within which the browser redirects to the HTTPS site.

DI default setting: "http.strict-transport-security": "max-age=31536000"

NOTE: In the event that the HTTP port serves different content than the HTTPS port, the recommended setting results in the browser being redirected to the HTTPS site, making the separate content on the HTTP site inaccessible. In that rare instance, you can override this behavior by setting max-age=0.

Referrer-Policy

This heading causes the browser to send limited URL information (origin, path, and query string) to external sites that are linked from DivePort, but only when the linked site also uses HTTPS. This makes it harder for potential attackers to see which DivePort pages users looked at.

Syntax: "http:referrer-policy": "<directive>"

Where, <directive> specifies how much referrer information is included with requests.

DI default setting: "http:referrer-policy": "strict-origin-when-cross-origin"

Feature-Policy

This heading turns off specified browser features when showing DivePort pages. This helps limit what third-party websites can do when embedded in DivePort.

Syntax: "http:feature-policy": "<directive> '<allowlist>' ; <directive> '<allowlist>'; ..."

Where, <directive> specifies a feature, and <allowlist> specifies the conditions in which the feature is allowed.

DI default setting: "http:feature-policy": "fullscreen 'none'; microphone 'none'; camera 'none'; payment 'none'"

In the default setting, the features fullscreen, microphone, camera, and payment are allowed none of the time (they are disabled).

Therefore, the current document is not allowed to use:

Video input devices (cameras)
A full screen display element
Audio input devices (microphones)
Payment request APIs

Other security headers

DivePort does not set default values for the following security headers. However you can specify values for them in theportal-infossection of theportaldbfile:

Content-Security-Policy This header specifies directives that allow you to restrict resources that users are allowed to load within the site.

Syntax: "http.content-security-policy": "<policy-directive>; <policy-directive>"

Where, <policy-directive> describes the policy for a certain resource type or policy area. For example, thedefault-srcpolicy directive is a fallback for other resource types when they do not have policies of their own.

In the recommended setting, the policy specifies that the default resource allows the use of content from the site origin (self) and inline resources (unsafe-inline).

Recommended setting: "http.content-security-policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' https: data:"
X-Frame-Options This header prevents DivePort from rendering inside an IFRAME in another website. This helps to guard against clickjacking attacks.

Syntax: "http.x-frame-options": "<option>"

Where, <option> is either sameorigin (you can use the page in a frame on the same origin as the page itself) or deny (attempts to load the page in a frame fails regardless of the site attempting to do so).

Recommended setting: "http.x-frame-options": "sameorigin"
X-Content-Type-Options This header prevents the browser from content sniffing to determine the types of files that are downloaded from DivePort.

Syntax: "http.x-content-type-options": "nosniff"

Recommended setting: "http.x-content-type-options": "nosniff"

For more information about security headers options, see Dimensional Insight Technical Notice 04, available on the Dimensional Insight Customers page.