HTTP Security
The HTTP Security configuration category includes the following configurable options:
Property: Block HTTP HEAD
Property Name
|
Block HTTP HEAD
|
Property Key
|
|
Property Type |
BOOLEAN
|
Description |
If set, the server will reject the HTTP HEAD verb. This verb is considered insecure in some environments.
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
-
appSphere
|
Default Value |
false
|
Example Property |
module.[MODULE_ID].config.block_http_head = false
|
Property: Block HTTP OPTIONS
Property Name
|
Block HTTP OPTIONS
|
Property Key
|
|
Property Type |
BOOLEAN
|
Description |
If set, the server will reject the HTTP OPTIONS verb. This verb is considered insecure in some environments.
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
-
appSphere
|
Default Value |
false
|
Example Property |
module.[MODULE_ID].config.block_http_options = false
|
Property: Custom Headers
Property Name
|
Custom Headers
|
Property Key
|
|
Property Type |
STRING_MULTILINE
|
Description |
Specify custom headers that will be added to every response. Each new header must be specified on a new line. Each line must be in the format HeaderName:HeaderValue (with a colon after the name).
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
-
appSphere
|
Default Value |
(no default)
|
Example Property |
module.[MODULE_ID].config.custom_response_headers =
|
Property: Frame Options (Allow From)
Property Name
|
Frame Options (Allow From)
|
Property Key
|
|
Property Type |
STRING
|
Description |
This setting can be used to set the X-Frame-Options header. Leave this setting blank (the default) in order to set a value of DENY . See Frame Options for more information.
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
|
Default Value |
(no default)
|
Example Property |
module.[MODULE_ID].config.frame_options.allow_from =
|
Property: Pin Host
Property Name
|
Pin Host
|
Property Key
|
|
Property Type |
STRING
|
Description |
If set, the server will always use the given host name instead of respecting the Host header. This can be useful to mitigate host poisoning attacks. The value for this setting is a comma-separated list in the form: hosta.com:8888, hostb.org . Any request that does not request one of the hosts in the list will be treated as though it had requested the first entry in the list.
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
-
appSphere
|
Default Value |
(no default)
|
Example Property |
module.[MODULE_ID].config.pin_host =
|
Property: Suppress Error Details
Property Name
|
Suppress Error Details
|
Property Key
|
|
Property Type |
BOOLEAN
|
Description |
If enabled, the server suppresses most details about errors from being released in HTTP responses. For example, invalid paths will not be echoed in 404 messages and details about invalid OAuth2 scopes will be suppressed. This setting is useful for production environments, as it minimizes the risk of malicious users gaining insights into the running system via error messages.
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
-
appSphere
|
Default Value |
false
|
Example Property |
module.[MODULE_ID].config.suppress_error_details = false
|
Property: Suppress Platform Information
Property Name
|
Suppress Platform Information
|
Property Key
|
|
Property Type |
BOOLEAN
|
Description |
Suppress Platform Information
|
Applies to Modules |
-
CDS Hooks REST Endpoint
-
FHIR Gateway REST Endpoint
-
FHIR REST Endpoint (All FHIR Versions)
-
FHIR REST Endpoint (DSTU2 - Deprecated)
-
FHIR REST Endpoint (R3 - Deprecated)
-
FHIR REST Endpoint (R4 - Deprecated)
-
FHIRWeb Console
-
Hybrid Providers REST Endpoint
-
JSON Admin API
-
MDM UI
-
Package Registry Endpoint
-
Payer to Payer
-
SMART Outbound Security
-
Subscription Websocket Endpoint
-
appSphere
|
Default Value |
false
|
Example Property |
module.[MODULE_ID].config.suppress_platform_info = false
|