Applies to version: 2020.1.x; updated for 2025.1.x; author: Tomasz Słuszniak
Introduction
From version 2020.1.3.321 there is the ability to define additional HTTP headers returned in responses from the web server. This functionality can be used e.g. to increase the level of security of WEBCON BPS Portal. This is especially important when BPS Portal is publicly available on the Internet.
To define headers, go to WEBCON BPS Designer Studio -> System settings -> Global parameters -> Security
(In older system versions, this option is found directly in the Global parameters node).
Example
To verify the security level of our BPS Portal, we will use the https://securityheaders.com/ website. If Portal and IIS do not have any security headers defined, we will get the “F” grade.
To improve the level of security we will focus on four basic headers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Header values used in the example:
Name |
Value |
Referrer-Policy |
strict-origin-when-cross-origin |
Strict-Transport-Security |
max-age=31536000; includeSubDomains |
X-Content-Type-Options |
nosniff |
Content-Security-Policy |
default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src blob: data: 'self' maps.gstatic.com *.googleapis.com *.ggpht; font-src 'self' fonts.gstatic.com; frame-src 'self' *.powerbi.com; frame-ancestors 'self' https://*.sharepoint.com https://*.office.com teams.microsoft.com *.teams.microsoft.com *.skype.com; |
To add a header in WEBCON BPS, just click “+” in the “Custom response headers” section and enter the name and value for each of them.
After filling in the list of headers, save the changes by clicking “Save”. The changes will be visible immediately.
Headers defined in this way result in a final “A” grade.
Attention
The presented example is one of many possibilities of the new WEBCON BPS functionality. The configuration is not a model for the used configuration – it should be adjusted individually to the needs and recommendations of administrators.