Enabling Spring Security in Content Delivery microservices
Content Delivery microservices use the Spring framework, for which you can enable security. Securing Spring means, among others, that HTTP headers will be added to your HTTP responses.
Procedure
Results
Enabling Spring Security has multiple results.
One result is that browsing to the endpoint of a secured microservice results in a popup login window, prompting the user to enter valid credentials for the microservice. Once a user has logged in, they are no longer prompted for any other microservices that use the same credentials.
| HTTP header name | HTTP header value | Description |
|---|---|---|
X-XSS-Protection | 1; mode=block | Prevents some categories of XSS (cross-site scripting) attacks from the browser. To disable this protection, add the following line to application.properties: |
X-Frame-Options | sameorigin | The webpage can only be displayed in a frame with the same origin as the webpage itself. To disabled this restriction, add the following line to application.properties: |
X-Content-Security-Policy | default-src 'self' | Prevents XSS by requiring that all content come from the site's own origin (excluding subdomains). |
X-WebKit-CSP | default-src 'self' | Prevents XSS by requiring that all content come from the site's own origin (excluding subdomains). |