Some Security Scanners require specific HTTP Headers to be present in the response of Royal Server.
Here are some headers with example values that can be configured:
- Strict-Transport-Security: nosniff
- X-Content-Type-Options: maxage:315360000
- Cache-Control: no-cache, no-store
- X-XSS-Protection: 1
- Content-Security-Policy: default-src
This can be achieved with the following configuration steps:
- Make a backup of the configuration file at %programdata%\RoyalServer\appsettings.json
- Edit the Royal Server configuration file at %programdata%\RoyalServer\appsettings.json
- Look for the line
"CustomHeaders": [],
- and replace this line with the following information:
"CustomHeaders": [ { "Name": "X-Content-Type-Options", "Value": "nosniff", "Disabled": false }, { "Name": "Strict-Transport-Security", "Value": "max-age=31536000", "Disabled": false }, { "Name": "Cache-Control", "Value": "no-cache, no-store", "Disabled": false }, { "Name": "X-XSS-Protection", "Value": "1", "Disabled": false }, { "Name": "Content-Security-Policy", "Value": "default-src", "Disabled": false } ],
After a restart of the Royal Server service, you can see the new headers sent back by Royal Server to the clients.
Note:
Some security scanner products require the Cache-Control to something like private,max-age=31536000.
For the request /authentication/signin (which is automatically redirected to if not logged in) asp.net core resets to no-cache, no-store since this request must not be cached in any circumstances.
For details see this information from Microsoft: