Itential Automation Platform

On this page:

HTTPS Security

This guide outlines various security enhancements to the HTTP Headers in Itential Automation Platform (IAP) and why httpOnly was not set on all occurrences.

Default HTTP Response Headers

Header Syntax Description
Access-Control-Allow-Origin * Tells the browser to allow code from any origin to access a resource. See Configurable Headers below.
Access-Control-Allow-Headers Origin, X-Requested-With, Content-Type, Accept Used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
Access-Control-Allow-Methods POST, GET, DELETE, OPTIONS Specifies the supported HTTP methods allowed when accessing the resource in response to a preflight request.
X-Frame-Options SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
X-Content-Type-Options nosniff A marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
Strict-Transport-Security max-age=31536000; includeSubDomains; preload This response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Configurable Headers

Currently, the Access-Control-Allow-Origin header is configurable within an IAP profile. It can be set within the expressProps under a property called access_control_allow_origin. When this is set to a value different from the default of * it will also add Origin to the Vary header.

Additional Headers If cacheControl is Turned On

These are defined in the expressProps of the IAP Profile document.

Header Syntax Description
Cache-Control Private, No-Cache, No-Store, Must-Revalidate Caching directives that can be used by the server in an HTTP response.
Pragma No-Cache Used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not present.
Expires 0 This header contains the date/time after which the response is considered stale. Invalid dates (i.e., the value 0), represent a date in the past and means that the resource is already expired.
If-Modified-Since Mon, 1 Jan 2014 01:00:00 GMT This request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304.


  • The Set-Cookie HTTP response header is used to send cookies from the server to the user agent.
  • Saved on login.
  • Token used for sessions.
Value Description
POST HTTP request call to /login sets the httpOnly flag to true.
httpOnly Cookies are not set for public, unauthenticated API calls.
secure Flag is set to true when IAP is run over SSL.