Configuring web.xml Filters
Starting with ThingWorx 9.3.15, 9.4.5, and 9.5.1, the ThingWorx Platform Docker container supports environment variables to configure web.xml filters controlling HTTP headers.
Cross-Origin Resource Sharing (CORS)
As noted in
Installation Troubleshooting and described in this
PTC Support Article, CORS headers can be controlled through a filter included with Tomcat. For configuration information, see
Container Provided Filters. You can enable the CORS filter by setting the
WEBXML_CORS_FILTER_ENABLED environment variable to
true. If no further customizations are applied, the following defaults are used:
Parameter
|
Value
|
cors.allowed.origins
|
|
cors.allowed.methods
|
OPTIONS,GET,POST,HEAD,PUT,DELETE
|
cors.allowed.headers
|
Authorization,appKey,x-thingworx-session,Content-Type,X-Requested-With,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Accept
|
cors.exposed.headers
|
Access-Control-Allow-Origin,Access-Control-Allow-Credentials
|
cors.support.credentials
|
false
|
cors.preflight.maxage
|
10
|
cors.request.decorate
|
true
|
Parameters can be added or replaced using the WEBXML_CORS_FILTER_PARAMS_JSON environment variable. The value of the environment variable is a JSON mapping of parameter names to values. For example, changing the cors.preflight maxage and cors.request.decorate parameters as follows:{"cors.preflight.maxage": 100, "cors.request.decorate": "false"}.
HTTP Security Headers
Tomcat supplies a filter for setting security-related headers, such as Strict-Transport-Security, as described in
Enabling HSTS in Apache Tomcat. You can enable this filter by setting the
WEBXML_HEADER_SECURITY_FILTER_ENABLED header to
true. If no further customization is applied, the values will be Tomcat values.
|
The ThingWorx Platform does not set any default values.
|
Parameters can be added or replaced using the WEBXML_HEADER_SECURITY_FILTER_PARAMS_JSON environment variable. The value of the environment variable is a JSON mapping of parameter names to values. For example, changing the hstsMaxAgeSeconds and hstsIncludeSubDomains parameters as follows: {"hstsMaxAgeSeconds":100, "hstsIncludeSubDomains": "false"}.
Cache-Control
ThingWorx provides a filter for setting other headers, which can be used to set the Cache-Control header, as described in
Customizing the Cache Control Header. Since this filter is used by default, there is no flag to enable or disable it. Additional values can be added through the
WEBXML_RESPONSE_HEADERS_FILTER_PARAMS_JSON environment variable. For example, setting the Cache-Control header as follows:
{"Cache-Control": "SET max-age=86400, public"}.
Clickjacking Protections
As described in
Allowing Embedded Mashups in iFrames, clickjacking protection can be configured with the
WEBXML_CLICKJACKING_MODE environment variable. The allowed values are
sameorigin (default),
allowlist and
deny as described in the help page mentioned above. If the mode is
allowlist, the
WEBXML_CLICKJACKING_ALLOWED_SOURCES environment variable should contain the allowed sources.