Secure HTTP headers

The HTTP headers have a strong impact on the security of an application running in a modern web browser. These are verified using automated enterprise penetration testing to ensure they are defined and applied according to best practices. Starting with release 9.13.2, ImageMaster defines these based on the best practices of the OWASP Security Headers Project [OWASP]. These meet the requirements of most penetration tests, but the organization's security policies may have different ideas. For this reason, the values are not permanently defined in ImageMaster, but can be set within the application server.

The values are set within the delivered script (..\support\configureAppServer\cli\01_configure.cli) in the section “# Default values for ImageMaster security headers, ...”.

The script is executed during the ImageMaster installation and the values are configured on the application server using CLI commands. You can find the OWASP HTTP headers recommendation here:

• On the project site:

  https://owasp.org/www-project-secure-headers/#div-bestpractices

• in JSON format:

  https://owasp.org/www-project-secure-headers/ci/headers_add.json

Basically, ImageMaster follows the OWASP recommendations, with the following differences:

• Cache-Control:

  The value is the same as defined by OWASP, but ImageMaster requires predicates to exclude some request contexts. For details see the CLI script.

• Clear-Site-Data:

  This header is only set during ImageMaster logout scenarios.

• Content-Security-Policy:

  The Content-Security-Policy [CSP] is a layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting. The recommendation of OWASP regarding the “default-src” fetch directive [Mozilla Fetch Directives] and the navigation directive “frame-ancestors” [Mozilla Navigation Directives] need to be adapted and expanded for some aspects (e.g. img-src, style-src, script-src, etc.) to maintain the functionality of ImageMaster. For details see the CLI script.

If your organization's security policy requires you to change or add a specific HTTP header to an ImageMaster installation, you should understand the implications and test it carefully in the pre-production phase. In particular with the special headers mentioned above, it is not recommended changing them yourself. If in doubt, contact the ImageMaster service and ask for help.