HTTP headers in WEBCON BPS

Applies to version: 2020.1.x; author: Tomasz Słuszniak

Introduction

From version 2020.1.3.321 there is the ability of defining additional http headers returned in responses from the web server. This functionality can be used e.g. to increase the level of security of WEBCON BPS Portal. This is especially important when BPS Portal is publicly available on the Internet.

To define headers, go to WEBCON BPS Designer Studio -> System settings -> Global parameters.

Example

To verify the security level of our BPS Portal, we will use the https://securityheaders.com/ website. If Portal and IIS do not have any security headers defined, we will get the “F” grade.

To improve the level of security we will focus on four basic headers:

1. Referrer-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

2. Strict-Transport-Security

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

3. X-Content-Type-Options

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

4. Content-Security-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Header values used in the example:

To add a header in WEBCON BPS, just click “+” in the “Custom response headers” section and enter the name and value for each of them.

After filling in the list of headers, save the changes by clicking “Save”. The changes will be visible immediately.

Headers defined in this way result in a final “A” grade.

Attention

The presented example is only the presentation of the possibilities of the new WEBCON BPS functionality. The configuration is not a model for the used configuration – it should be adjusted individually to the needs and recommendations of administrators.