Security-hardening properties
IBM® Business Process Manager provides configuration settings at the deployment environment level to harden security that mitigates web application threats that include cross-site request forgery (CSRF), network sniffing, clickjacking, and uploading malicious documents.
These security settings are off by default. You enable them by setting custom properties at the deployment environment (DE) level in the configuration repository by using the setBPMProperty command. The following table describes the available properties and shows you how to set them for the sample deployment environment De1.
Property | Accepted values | Example | Default value |
---|---|---|---|
ProcessServer.CsrfProtectionRefererWhitelist | The value of this property must be a comma-separated list of host names (or domain names) that are valid values for the Referer header field. By restricting values to host names and domain names that serve user interfaces for IBM BPM, you can mitigate CSRF. For more information about the Referer header field, see the Request for Comments (RFC) 7231 documentation. |
|
Unassigned, which allows the header of the HTTP request to contain any value |
ProcessServer.CsrfProtectionOriginWhitelist | The value of this property must be a comma-separated list of prefixes in the format protocol://host:port that are acceptable values in the Origin header field. By restricting possible values to host names and domain names that serve user interfaces for IBM BPM, you can mitigate CSRF. For more information about the Origin header, see the RFC 6454 documentation. |
|
Unassigned, which allows the header of the HTTP request to contain any value |
ProcessServer.XFrameOptionsHeaderValue | You set the value of the X-Frame-Options header field of the HTTP response
with this property. IBM BPM returns this value
to client requests. The value disallows browsers to embed IBM BPM user interfaces in iframes and, thus, mitigates
potential clickjacking attacks. You can set the following values:
|
|
Unassigned, which omits the X-Frame-Options field in the response header |
ProcessServer.ContentSecurityPolicyHeaderValue | You set the value of the Content-Security-Policy and X-Content-Security-Policy HTTP response header fields with this property. IBM BPM returns this value to client requests. The value instructs the browser to load and run assets in the context of IBM BPM user interfaces only from a set of whitelisted origins. For example, the policy default-src 'unsafe-inline' 'unsafe-eval' https://bpm1.ibm.com https://bpm1; img-src data: https://bpm1.ibm.com https://bpm1 instructs the browser to retrieve images from data: URIs and from URIs that meet one of the two whitelisted URI patterns. |
|
Unassigned, which omits both the response header fields |
ProcessServer.StrictTransportSecurityHeaderValue | You set the value of the Strict-Transport-Security HTTP response header field with this property. IBM BPM returns this value to client requests. The value instructs the browser to upgrade any http:// link to the server to an https:// link. For more information about the Strict-Transport-Security header, see the RFC 6797 RFC documentation. A sample value is max-age=100; includeSubDomains. |
|
Unassigned, which omits the Strict-Transport-Security response header field |
ProcessServer.XXssProtectionHeaderValue | You set the value of the X-XSS-Protection HTTP response header field with this property. IBM BPM returns this value to client requests. The value instructs the browser to enable its built-in cross-site scripting protection, independent of the user's configuration. Setting this property can be useful if the Internet Explorer browser categorizes IBM BPM to run in the intranet zone, which applies weaker browser security settings. A sample value is 1; mode=block. |
|
Unassigned, which omits the X-Xss-Protection response header field |
ProcessServer.XContentTypeOptionsHeaderValue | You set the value of the X-Content-Type-Options HTTP response header field with this property. IBM BPM returns this value to client requests. For example, a value of nosniff instructs browsers to disable MIME-type sniffing (a technique that tries to determine a suitable rendering strategy for server content based on the contents of the HTTP response). MIME-type sniffing can interfere with the explicit overwriting of MIME types in IBM BPM document downloads and, thus, re-run JavaScript even if IBM BPM explicitly set the Content-Type header to force the download window. |
|
Unassigned, which omits the X-Content-Type-Options response header field |
ProcessServer.CsrfSessionTokenSalt ProcessServer.CsrfSessionTokenProtectedUris | You enable session-specific tokens to mitigate CSRF with these properties.
|
|
Unassigned, which makes IBM BPM vulnerable to CSRF |