#28134 Configuration options for HttpSecureHeaderFilter

Enhancement

Major

#28009

Auto-fit of table columns

#28039

Development version of the Professional Edition without restrictions on the number of users and LDAP

#28160

Visual marking of mandatory fields

#28195

Initialization of new objects

#28211

TL script: Text blocks and escape symbols \n, \r,... support

#28215

TLScript: split() and join()

Detail

#28029

Set calculated columns in table components as ID column

#28130

Reduction of the date and time input fields and optimization of the table layout

#28134

Configuration options for HttpSecureHeaderFilter

#28163

Settings component should be able to be SecurityMaster

#28168

Default value for memory rule implementation: Calculation via TL script

#28186

ModelNamingScheme for transient objects

#28194

Revision of homepage mechanism

#28201

Migration processors: Delete objects and links

#28206

Row selection column in tables: Click next to checkbox discards selection

#28207

UI action "SetModel" should not only be able to set the exact command result as a model

#28208

Name fallback for LDAP synchronization in case of misconfiguration

Bugfix

Major

#28084

Unsightly separator for classification lists as radio buttons

#28139

Model editor swaps edge ends and labels

#28147

Dropdown labels break down

#28159

Canceling dialogs does not work

Detail

#27702

UML diagram of a functional object disappears in the model editor

#27786

Duplicate columns in the model editor

#27824

Indent list items in tooltips

#27880

Confusing description of the TL script function copy()

#27881

Suboptimal check for isDerived() in the implementation of the TL script copy()

#28076

Error in the color chooser: Inline styling and ID generation

#28078

Application no longer starts after "Transfer help to development environment"

#28092

No mandatory symbol with dynamic visibility

#28107

Right-click in the model tree leads to errors

#28111

Missing distance icon title in error dialog

#28112

Creating a transient version of an object with sequence attribute starts transaction

#28118

Long items enlarge DropDown's endlessly

#28121

Inactive form elements show errors and prevent saving

#28124

Poor display in the progress dialog

#28143

Null pointer exception when creating a reference in a foreign module

#28146

Core theme: Maintenance mode message cannot be recognized

#28158

TL script: switch via constants cannot be parsed

#28166

Internal error with TLScript call with surplus parameters

#28169

Error accessing ModelChangeEvent without change

#28170

Layout editor: Editing view not possible after integrating `woodstox-core`

#28179

Missing values in transient objects with overwritten attributes

#28180

Export of layouts can cause duplicates

#28185

Missing preload for reverse inline reference attributes

#28198

Transient objects cannot receive a container

#28199

Model access in Current: Fallback for deleted types

Nice to have

#28164

Documentation of the switch expression in TL script confusing

Enhancement

Detail

#28134

Configuration options for HttpSecureHeaderFilter

MicroFrontend Security

The HttpSecureHeaderFilter is integrated by default and sets HTTP headers to secure the page against XSS attacks, for example.

However, the default settings do not allow, for example, a micro-frontend of an application to be integrated into another via iframe. Therefore, the set headers should be adjustable in the application configuration.

Application

Configuration options in application/configs:

<config config:interface="com.top_logic.knowledge.gui.layout.HttpSecureHeaderFilter$GlobalConfig"> <headers> <header name="X-Content-Type-Options" values="nosniff"/> <header name="X-XSS-Protection"> <values> <value value="1; mode=block"/> </values> </header>
		<header name="Strict-Transport-Security"> <values> <value value="max-age=31536000; includeSubDomains"/> </values> </header> <header name="X-Frame-Options" values="SAMEORIGIN"/> </headers> </config>

Test

Inspection of the HTTP headers of a page, the set headers should be set.