Skip to content

Commit 4624df7

Browse files
committed
External web-content security
Offers the ability to activate web-content security through X-Frame-Options / CSP headers for samples.
1 parent 2c2afdf commit 4624df7

2 files changed

Lines changed: 19 additions & 2 deletions

File tree

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,22 @@ You can access the web application from [http://localhost:8080](http://localhost
145145

146146
The service restarts automatically when a change is detected, but you might need to refresh the webapp to ensure all changes are applied.
147147

148+
### External web-content security
149+
150+
The Agent API Simulator exposes WWE on HTTP port 7777, and is configured to display external web contents exposed by a second HTTP server on port 8080 (like SCAPI webpage).
151+
152+
To improve security, you may want to activate those two options :
153+
154+
- X-Frame-Options (for IE11)
155+
156+
_The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in an `<iframe>`. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites._
157+
158+
- Content Security Policy (For Chrome, Firefox, Edge)
159+
160+
_Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks._
161+
162+
If necessary, you can setup X-Frame-Option and CSP headers for this server, by uncommenting the lines bellow `CSP - X-Frame-Options` in file .`/src/samples/server.js`
163+
148164
### Testing
149165

150166
To run unit tests, do the following:

src/samples/server.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,10 @@ app.use((req, res, next) => {
3232

3333
// CSP - X-Frame-Options
3434
// For IE (at least v.11)
35-
res.header('X-Frame-Options', 'ALLOW-FROM https://localhost:7777');
35+
// res.header('X-Frame-Options', 'ALLOW-FROM https://localhost:7777');
36+
3637
// For modern browsers (Chrome / Firefox / EdgeChromium / Safari ...)
37-
res.header('Content-Security-Policy', "frame-ancestors 'self' https://localhost:7777");
38+
// res.header('Content-Security-Policy', "frame-ancestors 'self' https://localhost:7777");
3839
next();
3940
});
4041

0 commit comments

Comments
 (0)