Table of Contents

HTTP headers

HTTP response headers allow you to instruct how the browser should behave when handling data. The HTTP headers below provide extra protection layers to mitigate vulnerabilities (e.g. cross-site scripting, clickjacking, information disclosure, etc.).

Headers to add

X-Frame-Options

The X-Frame-Options header controls which other websites can embed the DataMiner webpages. We recommend restricting this completely or to websites on the same domain.

  1. Open IIS Manager.

  2. In the Connections pane on the left, select Default Web Site.

  3. In the middle pane, double-click HTTP Reponse Headers.

  4. In the Actions pane, click Add.

  5. Set Name to X-Frame-Options.

  6. Set Value to DENY or SAMEORIGIN.

  7. Click OK.

X-Content-Type-Options

The X-Content-Type-Options header dictates how the browser should handle MIME types of requested resources. We recommend setting this to NOSNIFF.

  1. Open IIS Manager.

  2. In the Connections pane on the left, select Default Web Site.

  3. In the middle pane, double-click HTTP Reponse Headers.

  4. In the Actions pane, click Add.

  5. Set Name to X-Content-Type-Options.

  6. Set Value to NOSNIFF.

  7. Click OK.

HSTS - Strict Transport Security

To bypass TLS encryption on websites served over HTTPS, attackers can use SSL stripping. To mitigate this type of attack, set the Strict-Transport-Security (HSTS) response header. This will instruct the browser to always load DataMiner over HTTPS.

To enable Strict Transport Security:

  1. Open IIS Manager.

  2. In the Connections pane on the left, expand the top node and Sites node until you see Default Web Site.

  3. Right click Default Web Site and select Manage Website > Advanced settings.

  4. Under Behavior, expand HSTS.

  5. Set Enabled to True.

  6. Set IncludeSubDomains to True.

  7. Set Max-Age to 31536000 seconds (i.e. 1 year).

  8. Optionally, set Preload to True.

  9. Optionally, set Redirect Http to Https to True

  10. Click OK.

Tip

For information about HSTS, see HSTS Cheat Sheet.

Other headers

There are some other HTTP headers that can improve security. However, their value depends on your specific DataMiner setup (e.g. resources used in Dashboards/Low-Code Apps):

Headers to remove

Server Header

DataMiner versions older than 10.3.8/10.4.0 [CU0] will have the Server header configured by default. This header leaks information on the type and version of the web server.

To remove the Server header in IIS, create an outbound rewrite rule that removes the value for the Server header.

To create the outbound rewrite rule:

  1. Open IIS Manager.

  2. In the Connections pane on the left, select Default Web Site.

  3. In the middle pane, double-click URL Rewrite.

  4. In the Actions pane on the right, click Add Rule(s).

  5. Under Outbound rules, select Blank rule, and click OK.

  6. In the Match pane, set Matching scope to Server Variable.

  7. Set the Variable name to RESPONSE_SERVER

  8. Set the Regular Expressions pattern to .*.

  9. Leave the Action type set to Rewrite and leave the Value field empty.

  10. In the Actions pane, click Apply.

  11. Restart IIS

Alternatively, you can add the following XML in the <system.webServer> element of C:\Skyline DataMiner\Webpages\web.config and then restart IIS:

<rewrite>
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_SERVER" pattern=".*" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>