HTTP headers
HTTP response headers allow you to instruct how the browser should behave when handling data. The HTTP headers below provide extra protection layers to mitigate vulnerabilities (e.g. cross-site scripting, clickjacking, information disclosure, etc.).
Headers to add
X-Frame-Options
The X-Frame-Options header controls which other websites can embed the DataMiner webpages. We recommend restricting this completely or to websites on the same domain.
Open IIS Manager.
In the Connections pane on the left, select Default Web Site.
In the middle pane, double-click HTTP Reponse Headers.
In the Actions pane, click Add.
Set Name to X-Frame-Options.
Set Value to DENY or SAMEORIGIN.
Click OK.
X-Content-Type-Options
The X-Content-Type-Options header dictates how the browser should handle MIME types of requested resources. We recommend setting this to NOSNIFF.
Open IIS Manager.
In the Connections pane on the left, select Default Web Site.
In the middle pane, double-click HTTP Reponse Headers.
In the Actions pane, click Add.
Set Name to X-Content-Type-Options.
Set Value to NOSNIFF.
Click OK.
HSTS - Strict Transport Security
To bypass TLS encryption on websites served over HTTPS, attackers can use SSL stripping. To mitigate this type of attack, set the Strict-Transport-Security (HSTS) response header. This will instruct the browser to always load DataMiner over HTTPS.
To enable Strict Transport Security:
Open IIS Manager.
In the Connections pane on the left, expand the top node and Sites node until you see Default Web Site.
Right click Default Web Site and select Manage Website > Advanced settings.
Under Behavior, expand HSTS.
Set Enabled to True.
Set IncludeSubDomains to True.
Set Max-Age to 31536000 seconds (i.e. 1 year).
Optionally, set Preload to True.
Optionally, set Redirect Http to Https to True
Click OK.
Tip
For information about HSTS, see HSTS Cheat Sheet.
Other headers
There are some other HTTP headers that can improve security. However, their value depends on your specific DataMiner setup (e.g. resources used in Dashboards/Low-Code Apps):
Headers to remove
Server Header
DataMiner versions older than 10.3.8/10.4.0 [CU0] will have the Server header configured by default. This header leaks information on the type and version of the web server.
To remove the Server header in IIS, create an outbound rewrite rule that removes the value for the Server header.
To create the outbound rewrite rule:
Open IIS Manager.
In the Connections pane on the left, select Default Web Site.
In the middle pane, double-click URL Rewrite.
In the Actions pane on the right, click Add Rule(s).
Under Outbound rules, select Blank rule, and click OK.
In the Match pane, set Matching scope to Server Variable.
Set the Variable name to RESPONSE_SERVER
Set the Regular Expressions pattern to
.*
.Leave the Action type set to Rewrite and leave the Value field empty.
In the Actions pane, click Apply.
Restart IIS
Alternatively, you can add the following XML in the <system.webServer> element of C:\Skyline DataMiner\Webpages\web.config
and then restart IIS:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>