Itential Automation Platform

On this page:

HTTPS Security

This section outlines various security enhancements to the HTTP Headers in Itential Automation Platform (IAP) and why httpOnly was not set on all occurrences.

Default HTTP Response Headers

Header Syntax Description
Access-Control-Allow-Origin * Tells the browser to allow code from any origin to access a resource.
Access-Control-Allow-Headers Origin, X-Requested-With, Content-Type, Accept Used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
Access-Control-Allow-Methods POST, GET, DELETE, OPTIONS Specifies the supported HTTP methods allowed when accessing the resource in response to a preflight request.
X-Frame-Options SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
X-Content-Type-Options nosniff A marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
Strict-Transport-Security max-age=31536000; includeSubDomains; preload The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Additional Headers If cacheControl is Turned On

These are defined in properties.json / expressProps.

Header Syntax Description
Cache-Control Private, No-Cache, No-Store, Must-Revalidate Caching directives that can be used by the server in an HTTP response.
Pragma No-Cache Used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not present.
Expires 0 The Expires header contains the date/time after which the response is considered stale. Invalid dates (i.e., the value 0), represent a date in the past and means that the resource is already expired.
If-Modified-Since Mon, 1 Jan 2014 01:00:00 GMT The If-Modified-Since request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304.


  • The Set-Cookie HTTP response header is used to send cookies from the server to the user agent.
  • Saved on login.
  • Token used for sessions.
Value Description
POST HTTP request call to /login sets httpOnly flag to true.
httpOnly Cookies are not set for public, unauthenticated API calls.
secure Flag is set to true when IAP is run over SSL.