AnsweredAssumed Answered

Security Headers

Question asked by schlot on Apr 25, 2018
Latest reply on May 2, 2018 by randall_williams-esristaff

All the ESRI examples are always very straight forward, but simple and plain when it comes to headers.  In today's world we're asked to tighten down our code with the introduction of many more security headers.  This is is not my area of expertise, I'm always doing good to get my code to work!  It's my understanding some configuration can happen on the application server, as an overall configuration, while others are best managed per application.


Given that I'm referencing the JavaScript API from ESRI, and not locally hosting it, coupled by the fact that we're pulling data in as services from sites outside our network, it's not as if I this can be configured based on examples provided to us from our cybersecurity 'best practice'.  There's no point in tightening it down to be non-functioning.


These are the header I'm being asked about.  There may be others as time goes on:

HTTP Public Key Pinning (HPKP) Header 

HTTP Strict Transport Security (HSTS) Header

X-XSS-Protection Header

X-Frame-Options Header Header 

X Permitted Cross Domain Policies Header 

Content-Security-Policy (CSP) Header 

X-Content-Type-Options Header 

Referrer-Policy HTTP header


Does anyone have any examples, words of wisdom?  I know people are likely to send me links to sites about what these are.  That's not what I want.  I have someone who can tell me generally what each is for.  What I want is syntax for settings that are likely to work.  The goal is to be more secure, but still functioning.  I've been told that implementing a CSP Header\, for example, could result in the inability to access the JavaScript API library, which is full of Function ().