I'm deploying a forms & reports app in a client (actually is an upgrade from 11g to 12c)
Infrastructure is weblogic 12.2.1.4 , and I'm fronting forms through ohs (created an ohs1 component) , where I enabled SSL and limited some ciphers as requested by the client's security dept.
Now client's security dept sends new requirements that we have to fulfill: A list of headers to be present:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: script-src 'self' (it may take another values, being necessary the analisys and adaptation of the scenario)
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
As I want the app to be secure, and read that some of this security headers are added when you patch your weblogic installation, I'm trying to have the infrastructure patching up to date before seeing which headers I still need to add. (I'm patching weblogic, FMW infrastructure, ohs)
I ended up adding this headers at ohs1 httpd.conf file level, but I see a couple of issues:
1.- Forms: Some Cache-control header values are duplicated: Cache-Control: no-cache,no-store, no-store, no-cache, must-revalidate, max-age=0
Reports: There is an error related to the header Content Security Policy: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'"
Where would you add this headers?
Thanks.