On this page:
   35.65    HTTP Request Pool 35.67    Hybrid Providers Definitions   

35.66HTTP Security

 

The HTTP Security configuration category includes the following configurable options:

  • Block HTTP HEAD

  • Block HTTP OPTIONS

  • Frame Options (Allow From)

  • Pin Host

  • Suppress Error Details

  • Suppress Platform Information

35.66.1Property: Block HTTP HEAD

 
Property Name Block HTTP HEAD
Property Key
Property Type BOOLEAN
Description If set, the server will reject the HTTP HEAD verb. This verb is considered insecure in some environments.
Applies to Modules
  • App Management Tools
  • CDS-Hooks REST Endpoint
  • FHIR Gateway REST Endpoint
  • FHIR REST Endpoint (DSTU2)
  • FHIR REST Endpoint (R3)
  • FHIR REST Endpoint (R4)
  • FHIRWeb Console
  • Hybrid Providers REST Endpoint
  • JSON Admin API
  • Package Registry Endpoint
  • SMART App Host (Deprecated)
  • SMART Outbound Security
  • Subscription Websocket Endpoint
Default Value false
Example Property
module.[MODULE_ID].config.block_http_head = false

35.66.2Property: Block HTTP OPTIONS

 
Property Name Block HTTP OPTIONS
Property Key
Property Type BOOLEAN
Description If set, the server will reject the HTTP OPTIONS verb. This verb is considered insecure in some environments.
Applies to Modules
  • App Management Tools
  • CDS-Hooks REST Endpoint
  • FHIR Gateway REST Endpoint
  • FHIR REST Endpoint (DSTU2)
  • FHIR REST Endpoint (R3)
  • FHIR REST Endpoint (R4)
  • FHIRWeb Console
  • Hybrid Providers REST Endpoint
  • JSON Admin API
  • Package Registry Endpoint
  • SMART App Host (Deprecated)
  • SMART Outbound Security
  • Subscription Websocket Endpoint
Default Value false
Example Property
module.[MODULE_ID].config.block_http_options = false

35.66.3Property: Frame Options (Allow From)

 
Property Name Frame Options (Allow From)
Property Key
Property Type STRING
Description This setting can be used to set the X-Frame-Options header. Leave this setting blank (the default) in order to set a value of DENY. See Frame Options for more information.
Applies to Modules
  • App Management Tools
  • CDS-Hooks REST Endpoint
  • FHIR Gateway REST Endpoint
  • FHIR REST Endpoint (DSTU2)
  • FHIR REST Endpoint (R3)
  • FHIR REST Endpoint (R4)
  • FHIRWeb Console
  • Hybrid Providers REST Endpoint
  • JSON Admin API
  • Package Registry Endpoint
  • SMART App Host (Deprecated)
  • SMART Outbound Security
  • Subscription Websocket Endpoint
Default Value (no default)
Example Property
module.[MODULE_ID].config.frame_options.allow_from = 

35.66.4Property: Pin Host

 
Property Name Pin Host
Property Key
Property Type STRING
Description If set, the server will always use the given host name instead of respecting the Host header. This can be useful to mitigate host poisoning attacks. The value for this setting is a comma-separated list in the form: hosta.com:8888, hostb.org. Any request that does not request one of the hosts in the list will be treated as though it had requested the first entry in the list.
Applies to Modules
  • App Management Tools
  • CDS-Hooks REST Endpoint
  • FHIR Gateway REST Endpoint
  • FHIR REST Endpoint (DSTU2)
  • FHIR REST Endpoint (R3)
  • FHIR REST Endpoint (R4)
  • FHIRWeb Console
  • Hybrid Providers REST Endpoint
  • JSON Admin API
  • Package Registry Endpoint
  • SMART App Host (Deprecated)
  • SMART Outbound Security
  • Subscription Websocket Endpoint
Default Value (no default)
Example Property
module.[MODULE_ID].config.pin_host = 

35.66.5Property: Suppress Error Details

 
Property Name Suppress Error Details
Property Key
Property Type BOOLEAN
Description If enabled, the server suppress most details about errors from being released in HTTP responses. For example, invalid paths will not be echoed in 404 messages and details about invalid OAuth2 scopes will be suppressed. This setting is useful for production environments, as it minimizes the risk of malicious users gaining insights into the running system via error messages.
Applies to Modules
  • App Management Tools
  • CDS-Hooks REST Endpoint
  • FHIR Gateway REST Endpoint
  • FHIR REST Endpoint (DSTU2)
  • FHIR REST Endpoint (R3)
  • FHIR REST Endpoint (R4)
  • FHIRWeb Console
  • Hybrid Providers REST Endpoint
  • JSON Admin API
  • Package Registry Endpoint
  • SMART App Host (Deprecated)
  • SMART Outbound Security
  • Subscription Websocket Endpoint
Default Value false
Example Property
module.[MODULE_ID].config.suppress_error_details = false

35.66.6Property: Suppress Platform Information

 
Property Name Suppress Platform Information
Property Key
Property Type BOOLEAN
Description Suppress Platform Information
Applies to Modules
  • App Management Tools
  • CDS-Hooks REST Endpoint
  • FHIR Gateway REST Endpoint
  • FHIR REST Endpoint (DSTU2)
  • FHIR REST Endpoint (R3)
  • FHIR REST Endpoint (R4)
  • FHIRWeb Console
  • Hybrid Providers REST Endpoint
  • JSON Admin API
  • Package Registry Endpoint
  • SMART App Host (Deprecated)
  • SMART Outbound Security
  • Subscription Websocket Endpoint
Default Value false
Example Property
module.[MODULE_ID].config.suppress_platform_info = false
   35.65    HTTP Request Pool 35.67    Hybrid Providers Definitions