You can configure custom response headers for each Identity Server cluster based on your enterprise requirement. In addition, you can create the Content Security Policy (CSP) header for securing the communication between the client browser and Identity Server.
NOTE:If you create a CSP header, it is recommended to disable the X-Frame option to avoid any conflicts with the CSP header.
To add a custom response header to the required URL, perform the following steps:
Click Devices > Identity Servers > <Identity Server Cluster> > General > Response Headers.
Click the Add icon and specify the following details:
Header Name: The name of the required header.
You can choose the required header from the list or specify the name of the header.
Header Value: The value for the header.
URL Patterns: The regular expressions (regex) to identify the URL paths (on which you require to add this header).
This value is matched with the path that is included after the port number in the destination URL.
For more information about using regular expressions, see Regular Expressions.
Click Save.
For example, you have an Identity Server cluster with the name as IDP-cluster. If you want to add the CSP header with frame-ancestors, form-action and frame-src policies to all URL paths that include /nidp, perform the following steps:
Click Devices > Identity Servers > IDP-cluster > General > Response Header.
Click Add.
Specify the following details:
Header Name: Content-Security-Policy
Header Value: frame-src 'self'; frame-ancestors 'self'; form-action 'self'
NOTE:The source value in this example is ‘self’. You can use any value from the CSP source list except 'nonce-' and 'sha256-'.
URL Patterns: .*/nidp/.*
NOTE:When integrated with Advanced Authentication using the generic method, configure the CSP header by adding Advanced Authentication as an allowed source. For more information, see TID.
Click Devices > Identity Servers > IDP-cluster > General > Response Header.
Click Add.
Specify the following details:
Header Name: Cache-Control
Header Value: no-cache,no-store
URL Patterns: /.*