Configure Service HTTP Security Headers

CAS has ability to control, on a per-service basis, whether certain security-related HTTP headers should be injected into the response. While headers are typically enabled and defined globally as part of the CAS Security Filter, the strategy described here allows one to disable/enable the injection of these headers for certain applications and service requests and override the global defaults.

A sample JSON file follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://.+",
  "name" : "sample service",
  "id" : 100,
  "properties" : {
    "@class" : "java.util.HashMap",
    "httpHeaderEnableXContentOptions" : {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "true" ] ]
    }
  }
}

Supported HTTP headers in form of service properties are:

Header Description
httpHeaderEnableCacheControl Insert Cache-Control headers into the response for this service.
httpHeaderEnableXContentOptions Insert X-Content-Type-Options headers into the response for this service.
httpHeaderEnableStrictTransportSecurity Insert Strict-Transport-Security headers into the response for this service.
httpHeaderEnableXFrameOptions Insert X-Frame-Options headers into the response for this service.
httpHeaderEnableContentSecurityPolicy Insert Content-Security-Policy headers into the response for this service.
httpHeaderEnableXSSProtection Insert X-XSS-Protection headers into the response for this service.
httpHeaderXFrameOptions Override the X-Frame-Options header of the response for this service.

The headers values are picked up from CAS properties. See this guide for relevant settings.