This section outlines various security enhancements to the HTTP Headers in Itential Automation Platform (IAP) and why httpOnly was not set on all occurrences.
||Tells the browser to allow code from any origin to access a resource.
||Origin, X-Requested-With, Content-Type, Accept
||Used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
||POST, GET, DELETE, OPTIONS
||Specifies the supported HTTP methods allowed when accessing the resource in response to a preflight request.
||The page can only be displayed in a frame on the same origin as the page itself.
||A marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
||max-age=31536000; includeSubDomains; preload
||The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
These are defined in
properties.json / expressProps.
||Private, No-Cache, No-Store, Must-Revalidate
||Caching directives that can be used by the server in an HTTP response.
||Used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not present.
||The Expires header contains the date/time after which the response is considered stale. Invalid dates (i.e., the value 0), represent a date in the past and means that the resource is already expired.
||Mon, 1 Jan 2014 01:00:00 GMT
||The If-Modified-Since request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304.
- The Set-Cookie HTTP response header is used to send cookies from the server to the user agent.
- Saved on login.
- Token used for sessions.
||HTTP request call to /login sets httpOnly flag to true.
||Cookies are not set for public, unauthenticated API calls.
||Flag is set to true when IAP is run over SSL.