Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Control Center Security Headers

HTTP responses returned by Control Center contain HTTP security headers. These security headers can be edited in the file /etc/netrounds/netrounds.conf.

The table below shows:

  • the name of each security header
  • the name of the setting name in /etc/netrounds/netrounds.conf that stores the value assigned to that header
  • the default value for the header.

HTTP security header

Setting name in netrounds.conf

Default value

Content-Security-Policy

CONTENT_SECURITY_POLICY_HEADER

 
("default-src 'self' https: http: ws: data: 'unsafe-inline' 'unsafe-eval';"
" script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com;"
" img-src 'self' *.google-analytics.com data:")

Expect-CT

EXPECT_CT_HEADER

None

Public-Key-Pins

PUBLIC_KEY_PINS_HEADER

None

Referrer-Policy

REFERRER_POLICY_HEADER

strict-origin

X-Content-Type-Options

X_CONTENT_TYPE_OPTIONS_HEADER

 nosniff

X-Frame-Options

X_FRAME_OPTIONS_HEADER

SAMEORIGIN

X-Permitted-Cross-Domain-Policies

X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER

None

X-XSS-Protection

X_XSS_PROTECTION_HEADER

 1; mode=block
Note:

Headers with the value None will not be sent in the HTTP response.

To edit one or more of the security headers listed above, proceed as follows:

  1. Open as root user (or using sudo) the file /etc/netrounds/netrounds.conf.
  2. Uncomment the security header(s) of interest if they are commented out, removing the hashes ("#").
  3. Change the security header value as desired.
  4. Save and close the file.

  5. Reload the Apache service:

  6. Verify that the security headers are updated by running:

    Note: The URL must match the SITE_URL entry in /etc/netrounds/netrounds.conf, and the https:// prefix must be included.

Below is an example of output from the verification step: