You can configure custom response headers for each Identity Server cluster based on your enterprise requirement. In addition, you can create the Content Security Policy (CSP) header for securing the communication between the client browser and Identity Server.
NOTE:If you create a CSP header, it is recommended to disable the X-Frame option to avoid any conflicts with the CSP header.
To add a custom response header to the required URL, perform the following steps:
Click Devices > Identity Servers > <Identity Server Cluster> > General > Response Headers.
Click the Add icon and specify the following details:
Header Name: The name of the required header.
You can choose the required header from the list or specify the name of the header.
Header Value: The value for the header.
URL Patterns: The regular expressions (regex) to identify the URL paths (on which you require to add this header).
This value is matched with the path that is included after the port number in the destination URL.
For more information about using regular expressions, refer to Regular Expressions.
Click Save.
For example, you have an Identity Server cluster with the name as IDP-cluster. If you want to add the Content-Security-Policy header with the frame-ancestors, the form-action and the frame-src policies to all the URL paths that include /nidp, perform the following:
Click Devices > Identity Servers > IDP-cluster > General > Response Header.
Click Add.
Specify the following:
Header Name: Content-Security-Policy
Header Value: frame-src 'self'; frame-ancestors 'self'; form-action 'self'
NOTE:The source value in this example is ‘self’, but you can use any value from the CSP source list except 'nonce-' and 'sha256-'.
URL Patterns: .*/nidp/.*