We have our FM Server setup for WebDirect and as part of a 3rd party vulnerability test, our site got dinged for not having several HTTP Security Headers configured.
I am not sure what tools the 3rd party is using, but they provided a Mozilla testing link for guidance. You can run this against your domain where WebDirect is running.
The specific items in our report are: content-security-policy, cache-control, x-content-type-options, referrer-policy, feature-policy
We set up the following headers from the Claris Engineering blog page. 1 is in our ding list and 2 that are not. We went ahead and added the 2 others.
[Strict-Transport-Security: max-age=31536000] [includeSubDomains]
[X-XSS-Protection: 1] [mode=block]
From the ding list, we also added these without any apparent adverse effects. We used suggested default values from the Mozilla documentation.
That leaves us with this 1 response header. Using the suggested default from Mozilla as shown below, It causes the WebDirect home page to not show our databases. The page is blank.
[content-security-policy] [default-src https:]
Does anyone have any suggestions or experience with this security header in particular, but also any comments about the others on our ding list that were not mentioned in the Claris engineering blog?