Default response actions

Those admins who have access to an Airlock Gateway can import the Default mapping template in the Configuration Center to have a visual representation of the default settings.

Note that only one of the HSTS rules below can be enabled while the other one must be disabled:

  • (default) Add Strict-Transport-Security (HSTS) header
  • (default) Add Strict Transport Security (HSTS) header for preload list

For more information about HSTS preload, see https://hstspreload.org/.

Action Name
Description
Default
(default) Response header whitelist
All headers not explicitly contained in the whitelist of well-known headers are removed.
disabled
(default) Response header blacklist
Removes some unused headers.
enabled
(default) Response header blacklist (information leakage)
Some headers leak information about back-end servers and deployed software. By removing these headers, such information is hidden from potential attackers.
enabled
(default) Remove NTLM header
Back-ends can advise clients to authenticate using NTLM. By default, these headers are removed, because NTLM passthrough is not supported. When using front-side NTLM in combination with an authentication service, this action must be disabled.
enabled
(default) Remove Negotiate header
Back-end can advise clients to authenticate using a specific method. By default, these headers are removed. This action must be disabled when using front-side Kerberos in combination with an authentication service.
enabled
(default) Remove permissive CORS header
CORS (Cross-Origin Resource Sharing) is a method for enabling cross-origin requests in browsers. If misconfigured, CORS reduces client-side security. This action removes CORS headers that have no restrictions.
enabled
(default) Add X-Frame-Options header
If no X-Frame-Options are specified by the back-end, this action advises browser to display a page only in a frame with the same origin as the page itself. This prevents clickjacking attacks.
enabled
(default) Add Strict-Transport-Security (HSTS) header
HSTS headers advise browsers to use solely secure HTTPS connections towards the back-end. If no HSTS header is specified by the back-end, this actions adds a default HSTS header, requiring HTTPS for all requests.
enabled
(default) Add Strict Transport Security (HSTS) header for preload list
HSTS headers advise browsers to use solely secure HTTPS connections towards the back-end. Sets the Strict-Transport-Security header correctly in order to comply with the HSTS preload list requirements. After enabling this action your virtual host must be registered at https://hstspreload.org.
disabled
(default) Add Content-Security-Policy (CSP) header
Content Security Policy (CSP) is a technique for preventing Cross-Site-Scripting and similar attacks by restricting the origin of included resources in a website. Defining fine-grained policies requires good knowledge of the application. If no CSP headers are specified by the back-end, this action adds a base protection, allowing inclusion of Javascript and image resources only from the back-end itself.
disabled
(default) Add Content-Security-Policy (CSP) header (with prefix "X-")
See action "(default) Add Content Security Policy (CSP) header" (variant with an "X-" prefix).
disabled
(default) Add XSS-Protection header
If no corresponding header is present, this actions enables the XSS protection feature of IE 8 browsers (and newer).
enabled
(default) Add Content-Type-Options header
If no corresponding header is present, this action disables a browser feature called MIME-type sniffing, which can be harmful.
enabled
(default) Set cookie security attributes
This action automatically sets the security attributes of cookies based on the current configuration. In particular, the "Secure" attribute is set if HTTPS is enabled on the virtual host and disabled otherwise. The "HttpOnly" attribute is automatically set for encrypted cookies. For passthrough cookies, the "HttpOnly" attribute is not modified.
enabled
(default) Translate internal cookie path
Action for rewriting the "Path" attribute of cookies. Rewriting the cookie path may be necessary if the application creates absolute or incorrect cookie paths because it is not reverse proxy compatible.
enabled
(default) Translate internal cookie domain
This action replaces the "Domain" attribute of cookies with the session cookie domain configured on the corresponding virtual host.
enabled
(default) Add Referrer-Policy header
If no corresponding header is present, this action prevents information leakage from your web application.
enabled
(default) Add Feature-Policy header
If no corresponding header is present, this action prevents the use of some sensitive browser features outside of your web application.
enabled