☢
Security Headers

Configuring the security response headers and features
CBSecurity comes bundled with tons of security response features to help developers be secure-minded about their applications.  Here are the defaults for configuring the security headers in CBSecurity.
1
/**
2
 * --------------------------------------------------------------------------
3
 * Security Headers
4
 * --------------------------------------------------------------------------
5
 * This section is the way to configure cbsecurity for header detection, inspection and setting for common
6
 * security exploits like XSS, ClickJacking, Host Spoofing, IP Spoofing, Non SSL usage, HSTS and much more.
7
 */
8
securityHeaders : {
9
	// If you trust the upstream then we will check the upstream first for specific headers
10
	"trustUpstream"         : false,
11
	// Content Security Policy
12
	// Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
13
	// including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to
14
	// site defacement, to malware distribution.
15
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
16
	"contentSecurityPolicy" : {
17
		// Disabled by defautl as it is totally customizable
18
		"enabled" : false,
19
		// The custom policy to use, by default we don't include any
20
		"policy"  : ""
21
	},
22
	// The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in
23
	// the Content-Type headers should be followed and not be changed => X-Content-Type-Options: nosniff
24
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
25
	"contentTypeOptions" : { "enabled" : true },
26
	"customHeaders"      : {
27
		 // Name : value pairs as you see fit.
28
	},
29
	// Disable Click jacking: X-Frame-Options: DENY OR SAMEORIGIN
30
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
31
	"frameOptions" : { "enabled" : true, "value" : "SAMEORIGIN" },
32
	// HTTP Strict Transport Security (HSTS)
33
	// The HTTP Strict-Transport-Security response header (often abbreviated as HSTS)
34
	// informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it
35
	// using HTTP should automatically be converted to HTTPS.
36
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security,
37
	"hsts"         : {
38
		"enabled"           : true,
39
		// The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS, 1 year is the default
40
		"max-age"           : "31536000",
41
		// See Preloading Strict Transport Security for details. Not part of the specification.
42
		"preload"           : false,
43
		// If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
44
		"includeSubDomains" : false
45
	},
46
	// Validates the host or x-forwarded-host to an allowed list of valid hosts
47
	"hostHeaderValidation" : {
48
		"enabled"      : false,
49
		// Allowed hosts list
50
		"allowedHosts" : ""
51
	},
52
	// Validates the ip address of the incoming request
53
	"ipValidation" : {
54
		"enabled"    : false,
55
		// Allowed IP list
56
		"allowedIPs" : ""
57
	},
58
	// The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests.
59
	// Aside from the HTTP header, you can set this policy in HTML.
60
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
61
	"referrerPolicy"     : { "enabled" : true, "policy" : "same-origin" },
62
	// Detect if the incoming requests are NON-SSL and if enabled, redirect with SSL
63
	"secureSSLRedirects" : { "enabled" : false },
64
	// Some browsers have built in support for filtering out reflected XSS attacks. Not foolproof, but it assists in XSS protection.
65
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection,
66
	// X-XSS-Protection: 1; mode=block
67
	"xssProtection"      : { "enabled" : true, "mode" : "block" }
68
}
TrustUpstream
This boolean flag tells CBSecurity whether to inspect x-forwarded- headers FIRST instead of traditional host/IP headers.  If you trust your proxies, then turn this setting to true.
ContentSecurityPolicy
The Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for data theft, site defacement, and malware distribution.  
By default, this policy is disabled as it requires a custom policy to be written according to your needs.  Once you have a policy available, you can add it to the configuration.
Content Security Policy (CSP) - HTTP | MDN
Read more about content security policies
"contentSecurityPolicy" : {
    // Disabled by defautl as it is totally customizable
    "enabled" : true,
    // The custom policy to use, by default we don't include any
    "policy"  : "default-src 'self' *.example.com; img-src *"
},
ContentTypeOptions
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed.  This produces the following header => X-Content-Type-Options: nosniff  
X-Content-Type-Options - HTTP | MDN
Read more about content type options
"contentTypeOptions" : { "enabled" : true },
CustomHeaders
You can fill out this struct with the custom headers you would like to send out on EVERY request.  The header value can be a simple value to return always or a closure/lambda that will be executed at runtime and the value sent on every request.
customHeaders : {
    "x-mvc" : "ColdBox",
    "x-runtime-timestamp" : (event,rc,prc) => now()
}
Please note that the closure accepts the incoming event, rc, and prc variables.
FrameOptions
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks by ensuring that their content is not embedded into other sites.  The default value ColdBox uses is SAMEORIGIN which allows iframes and embeds from the same origin.  The available values are: SAMEORIGIN OR DENY.
X-Frame-Options - HTTP | MDN
Read more about frame options
"frameOptions" : { "enabled" : true, "value" : "SAMEORIGIN" },
HSTS - HTTP Strict Transport Security
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should automatically be converted to HTTPS.  Here are the defaults we use in CBSecurity:
Strict-Transport-Security - HTTP | MDN
Read more about HSTS
"hsts" : { 
    "enabled" : true, 
    // The time, in seconds, that the browser should remember that a site is only to 
    // be accessed using HTTPS, 1 year is the default 
    "max-age" : "31536000", 
    // See Preloading Strict Transport Security for details. Not part of the specification. 
    "preload" : false, 
    // If this optional parameter is specified, this rule applies to all of the site's subdomains as well. 
    "includeSubDomains" : false 
},
HostHeaderValidation
This configuration setting can restrict access to your application for ONLY a specific list of hosts.  This prevents host spoofing.  If an invalid host is detected, a 401 Not Authorized response will be sent back to the user.  This setting is disabled by default.
// Validates the host or x-forwarded-host to an allowed list of valid hosts
"hostHeaderValidation" : {
	"enabled"      : true,
	// Allowed hosts list
	"allowedHosts" : "www.coldbox.org,coldbox.org"
},
IPValidation
This configuration setting can restrict access to your application for ONLY a specific list of IP addresses.  This prevents IP spoofing.  If an invalid IP is detected, then a 401 Not Authorized response will be sent back to the user.  This setting is disabled by default.
Please note that as of now, a full IP address must be used.
// Validates the host or x-forwarded-host to an allowed list of valid hosts
"ipValidation" : {
	"enabled"      : true,
	// Allowed hosts list
	"allowedHosts" : "127.0.0.1,98.98.98.98"
},
ReferrerPolicy
The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests.  Aside from the HTTP header, you can set this policy in HTML.  This setting is enabled by default with a policy of same-origin.
Referrer-Policy - HTTP | MDN
Read more about referrer policies
"referrerPolicy"     : { 
    "enabled" : true, 
    "policy" : "same-origin" 
},
Here are some available policies:
Policy: no-referrer
Policy: no-referrer-when-downgrade
Policy: origin
Policy: origin-when-cross-origin
Policy: same-origin
Policy: strict-origin
Policy: strict-origin-when-cross-origin
Policy: unsafe-url
SecureSSLRedirects
Detect if the incoming requests are NON-SSL and redirect with SSL alongside any incoming query strings and host information if enabled.  By default, this setting is disabled.
"secureSSLRedirects" : { "enabled" : true },
XSSProtection
Some browsers have built-in support for filtering out reflected XSS attacks. Not foolproof, but it assists in XSS protection.  By default, it is enabled and a block mode is produced.
X-XSS-Protection - HTTP | MDN
Read more about XSS protection
"xssProtection"      : { 
    "enabled" : true, 
    "mode" : "block" 
}
XML Rules
Visualizer
Last modified 2mo ago