Skip to main content

Security Headers

In CxSAST, the X-Frame-Options header cannot be set. Instead, the following security headers can be configured to enhance application security:

  • Content-Security-Policy – can be set, for example to: Content-Security-Policy: default-src 'self'

    While CSP is not a full replacement for the X-Frame-Options header, it offers additional layers of security by restricting sources from which content can be loaded.

  • Strict Transport Security (HSTS) – can be set to: Strict-Transport-Security: max-age=31536000 ; includeSubDomains

    For detailed instructions on configuring HSTS, refer to Enabling SSL Support on the CxManager.

  • X-Content-Type-Options – can be set to: X-Content-Type-Options: nosniff

    This header prevents browsers from interpreting files as a different MIME type than what is declared, reducing the risk of certain attacks.

  • Secure Cookie Attribute - The Secure attribute for cookies ensures that cookies are transmitted only over secure HTTPS connections. This is particularly relevant when both HTTP and HTTPS are used. However, CxSAST enforces HTTPS exclusively, mitigating this concern.

To allow maximum flexibility for different customers and deployments types, other headers can be set explicitly.

Security Header Configuration Levels

To provide flexibility for different customers and deployment types, security headers in CxSAST can be configured at three levels. These levels must not conflict or duplicate configurations:

  1. IIS Feature Level: Configuration file C:\Windows\System32\inetsrv\config\applicationHost.config

  2. Site Level: Configuration file C:\inetpub\wwwroot\web.config. For example, settings for the default web site.

  3. Application Level: Configuration file: D:\Checkmarx\CheckmarxWebPortal\Web\web.config

Starting with version 9.6, some security configurations were shifted to the Application Level (D:\Checkmarx\CheckmarxWebPortal\Web\web.config). To prevent configuration collisions, these settings have been removed from the IIS Feature Level and Site Level.

By consolidating security configurations at the Application Level, CxSAST ensures greater control and avoids conflicts across different configuration layers.

Additional Headers

To meet specific deployment needs, customers can explicitly set other security headers as required for their environments.

In this section: