Configuring secure browser access

To configure security for browsers that access the Application Security domain:

On the header, select Administration.
On the navigation pane, expand Configuration, and then select Security.

On the Security page, configure the settings as described in the following table.

Field

Description

Content-Security-Policy

Specify what (if any) level of CSP to use. Using the HTTP Content-Security-Policy header controls, the resources browsers can load and what actions they can perform on pages loaded from Application Security. This helps guard against cross-site scripting attacks.

Select one of the following options:

To restrict access to only the base URL configured by the host.url property (set using the Setup wizard), select Strict.
To enable a less restrictive policy than strict CSP, select Relaxed. This is the default setting. It allows access to the Application Security domain from any host:port.
To disable the Content-Security-Policy header, select Disabled. Although OpenText recommends that you not disable the Content-Security-Policy header, this option is available if CSP causes unexpected problems.

Set value for Strict-Transport-Security header

Type the value for the Strict-Transport-Security header. This header signals browsers to use HTTPS instead of HTTP to communicate with Application Security.

Use caution when you set this value. It can have a severe impact on users. For more detail, see the HTTP Strict Transport Security Cheat Sheet.

The Strict-Transport-Security header is sent only through a secure channel determined by Tomcat server.

Set value for Public-Key-Pins header

Type the value for the Public-Key-Pins header. This decreases the risk of man-in-the-middle (MITM) attacks.

Use caution when you set this value. It can have a severe impact on users. For more detail, see the HTTP Strict Transport Security Cheat Sheet.

The Public-Key-Pins header is sent only through a secure channel determined by Tomcat server.

Click SAVE.