Documentation Center

Enabling Spring Security in Content Delivery microservices

Content Delivery microservices use the Spring framework, for which you can enable security. Securing Spring means, among others, that HTTP headers will be added to your HTTP responses.

Procedure

  1. Go to the configuration location of one of your Content Delivery microservices.
  2. Open the file application.properties for editing.
  3. Remove the inital # character in the following line in the file in order to uncomment the line:
    #service.security.enabled=false
  4. Save and close application.properties.
  5. Restart the Content Delivery microservice.
  6. Go to the configuration location of another one of your Content Delivery microservices and repeat the same steps. Repeat this task for all Content Delivery microservices.

Results

Enabling Spring Security has multiple results.

One result is that browsing to the endpoint of a secured microservice results in a popup login window, prompting the user to enter valid credentials for the microservice. Once a user has logged in, they are no longer prompted for any other microservices that use the same credentials.

Another result is that HTTP responses now include a number of addition HTTP headers:
HTTP header nameHTTP header valueDescription
X-XSS-Protection 1; mode=blockPrevents some categories of XSS (cross-site scripting) attacks from the browser. To disable this protection, add the following line to application.properties:
udp.xssprotection.enabled=false
X-Frame-Options sameoriginThe webpage can only be displayed in a frame with the same origin as the webpage itself. To disabled this restriction, add the following line to application.properties:
udp.frameoptions.enabled=false
X-Content-Security-Policy default-src 'self'Prevents XSS by requiring that all content come from the site's own origin (excluding subdomains).
X-WebKit-CSP default-src 'self' Prevents XSS by requiring that all content come from the site's own origin (excluding subdomains).