Platform On-PremConfigureNetwork and security

Understand HTTP headers in Itential Platform

This guide outlines various security enhancements to the HTTP headers in Itential Platform and why httpOnly was not set on all occurrences.

Default HTTP response headers

HeaderSyntaxDescription
Access-Control-Allow-Origin*Tells the browser to allow code from any origin to access a resource. See Configurable headers.
Access-Control-Allow-HeadersOrigin, X-Requested-With, Content-Type, AcceptUsed in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
Access-Control-Allow-MethodsPOST, GET, DELETE, OPTIONSSpecifies the supported HTTP methods allowed when accessing the resource in response to a preflight request.
X-Frame-OptionsSAMEORIGINThe page can only be displayed in a frame on the same origin as the page itself.
X-Content-Type-OptionsnosniffA marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preloadThis response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Configurable headers

The Access-Control-Allow-Origin header is configurable within an Itential Platform profile. It can be set within the expressProps under a property called access_control_allow_origin. When this is set to a value different from the default of * it will also add Origin to the Vary header.

Additional headers if cacheControl is turned on

These are defined in the expressProps of the Profile document.

HeaderSyntaxDescription
Cache-ControlPrivate, No-Cache, No-Store, Must-RevalidateCaching directives that can be used by the server in an HTTP response.
PragmaNo-CacheUsed for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not present.
Expires0This header contains the date/time after which the response is considered stale. Invalid dates (the value 0) represent a date in the past and mean that the resource is already expired.
If-Modified-SinceMon, 1 Jan 2014 01:00:00 GMTThis request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304.

Cookies

The Set-Cookie HTTP response header is used to send cookies from the server to the user agent. Cookies are saved on login and tokens are used for sessions.

ValueDescription
POSTHTTP request call to /login sets the httpOnly flag to true.
httpOnlyCookies are not set for public, unauthenticated API calls.
secureFlag is set to true when Itential Platform is run over SSL.

HTTP verbs

This constraint is effective beginning with 2023.2 and future releases.

To support network security policies and provide an additional layer of control, Itential will not accept or process any non-standard HTTP verbs Itential Platform does not require for its operation. Further detail is described in the sections that follow.

Always allowed HTTP verbs

The following set of HTTP verbs will always be accepted in Itential Platform:

GET, POST, PUT, PATCH, HEAD, OPTIONS, DELETE

For any verbs not on this list, Itential has implemented a new property, allowedHttpOptionalVerbs, that will allow admins to specify an array of optional HTTP verbs Itential Platform can process. By default, non-permitted verbs are blocked from accessing the application. Consequently, Itential Platform will not process any server requests that contain restricted verbs and that are not defined (“turned on”) in the allowedHttpOptionalVerbs property.

Optional HTTP verbs

As listed below, there are 26 optional HTTP verbs Itential admins can use. A 405 error (“Method Not Allowed”) is returned if the server request uses a verb not on the list.

These verbs must be in uppercase format.

1"ACL",
2"BIND",
3"CHECKOUT",
4"CONNECT",
5"COPY",
6"LINK",
7"LOCK",
8"MERGE",
9"MKACTIVITY",
10"MKCALENDAR",
11"MKCOL",
12"MOVE",
13"M-SEARCH",
14"NOTIFY",
15"PROPFIND",
16"PROPPATCH",
17"PURGE",
18"REBIND",
19"REPORT",
20"SEARCH",
21"SUBSCRIBE",
22"TRACE",
23"UNBIND",
24"UNLINK",
25"UNLOCK",
26"UNSUBSCRIBE"

How to Configure Alternate HTTP Verbs

To configure the HTTP verbs that can be used for inbound requests to the Itential Platform server, use expressProps in the active Itential Platform profile to configure the allowedHttpOptionalVerbs property.

  1. Log in and navigate to Itential Platform → Administration → Admin Essentials.
  2. Select the active profile under Profiles.
  3. Click the Configure tab.
  4. Select expressProps under Edit Profile Properties.
  5. Update the allowedHttpOptionalVerbs property to include the desired verbs from the allowed list above.
  6. Click Save to finalize your changes.
  7. Restart Itential Platform.