FM Server and HTTP Security Headers [x-post]

Hi all,

We have our FM Server setup for WebDirect and as part of a 3rd party vulnerability test, our site got dinged for not having several HTTP Security Headers configured.

I am not sure what tools the 3rd party is using, but they provided a Mozilla testing link for guidance. You can run this against your domain where WebDirect is running.

The specific items in our report are: content-security-policy, cache-control, x-content-type-options, referrer-policy, feature-policy

We set up the following headers from the Claris Engineering blog page. 1 is in our ding list and 2 that are not. We went ahead and added the 2 others.

[Name] [Value]
[Strict-Transport-Security: max-age=31536000] [includeSubDomains]
[X-Content-Type-Options] [nosniff]
[X-XSS-Protection: 1] [mode=block]

From the ding list, we also added these without any apparent adverse effects. We used suggested default values from the Mozilla documentation.
[cache-control] [s-maxage=86400]
[referrer-policy] [no-referrer]
[feature-policy] [none]

That leaves us with this 1 response header. Using the suggested default from Mozilla as shown below, It causes the WebDirect home page to not show our databases. The page is blank.

[content-security-policy] [default-src https:]

Does anyone have any suggestions or experience with this security header in particular, but also any comments about the others on our ding list that were not mentioned in the Claris engineering blog?


1 Like

Oh the joy of Web: many documentation found but made for those who already know the answers :disappointed:.

According to CSP: default-src - HTTP | MDN (

https: by itself is not a valid value for default-src. If you look at Content Security Policy (CSP) - HTTP | MDN (

(example code)

<meta http-equiv="Content-Security-Policy"
      content="default-src 'self'; img-src https://*; child-src 'none';">


Content-Security-Policy: default-src

Hope that helps



We are setting the headers in in the config of the IIS server. FMS is running on Windows Server 2019. According to the documentation on this page;

using “Content-Security-Policy: default-src https:” is a valid option.

As you mentioned, the web stuff can be convoluted for sure.


The complete page in the browser is blank, no message at all ?

What do you get if you look a the source for the page ?

Anything in FMS logs or IIE logs ?

@Malcolm do you have any idea about what's going on ? Thanks

@bowdendata have you tried

[content-security-policy] [default-src 'self' https:]

or do you not care where the content is coming from, so long as it has an SSL cert it is OK.