Configuring web.xml Filters
Starting with ThingWorx 9.3.15, 9.4.5, and 9.5.1, the ThingWorx Platform Docker container supports environment variables to configure web.xml filters controlling HTTP headers.
Cross-Origin Resource Sharing (CORS)
As noted in Installation Troubleshooting and described in this PTC Support Article, CORS headers can be controlled through a filter included with Tomcat. For configuration information, see Container Provided Filters. You can enable the CORS filter by setting the WEBXML_CORS_FILTER_ENABLED environment variable to true. If no further customizations are applied, the following defaults are used:
|
Parameter
|
Value
|
|---|---|
|
cors.allowed.origins
|
|
|
cors.allowed.methods
|
OPTIONS,GET,POST,HEAD,PUT,DELETE
|
|
cors.allowed.headers
|
Authorization,appKey,x-thingworx-session,Content-Type,X-Requested-With,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Accept
|
|
cors.exposed.headers
|
Access-Control-Allow-Origin,Access-Control-Allow-Credentials
|
|
cors.support.credentials
|
false
|
|
cors.preflight.maxage
|
10
|
|
cors.request.decorate
|
true
|
Parameters can be added or replaced using the WEBXML_CORS_FILTER_PARAMS_JSON environment variable. The value of the environment variable is a JSON mapping of parameter names to values. For example, changing the cors.preflight maxage and cors.request.decorate parameters as follows:{"cors.preflight.maxage": 100, "cors.request.decorate": "false"}.
HTTP Security Headers
Tomcat supplies a filter for setting security-related headers, such as Strict-Transport-Security, as described in Enabling HSTS in Apache Tomcat. You can enable this filter by setting the WEBXML_HEADER_SECURITY_FILTER_ENABLED header to true. If no further customization is applied, the values will be Tomcat values.
 |
The ThingWorx Platform does not set any default values.
|
Parameters can be added or replaced using the WEBXML_HEADER_SECURITY_FILTER_PARAMS_JSON environment variable. The value of the environment variable is a JSON mapping of parameter names to values. For example, changing the hstsMaxAgeSeconds and hstsIncludeSubDomains parameters as follows: {"hstsMaxAgeSeconds":100, "hstsIncludeSubDomains": "false"}.
Cache-Control
ThingWorx provides a filter for setting other headers, which can be used to set the Cache-Control header, as described in Customizing the Cache Control Header. Since this filter is used by default, there is no flag to enable or disable it. Additional values can be added through the WEBXML_RESPONSE_HEADERS_FILTER_PARAMS_JSON environment variable. For example, setting the Cache-Control header as follows: {"Cache-Control": "SET max-age=86400, public"}.
Clickjacking Protections
As described in Allowing Embedded Mashups in iFrames, clickjacking protection can be configured with the WEBXML_CLICKJACKING_MODE environment variable. The allowed values are sameorigin (default), allowlist and deny as described in the help page mentioned above. If the mode is allowlist, the WEBXML_CLICKJACKING_ALLOWED_SOURCES environment variable should contain the allowed sources.