You can configure the Policy Editor to add certain security headers to responses for calls to the UI resources in the options file’s securityHeaders section. Supported headers include X-Frame-Options, Content-Security-Policy, and Access-Control-Allow-Origin. By default, X-Frame-Options will be set to deny and the other headers will remain unset.

  1. Make a copy of the default options file. 
    $ cp config/options.yml my-options.yml
  2. To configure Policy Editor security headers, edit the securityHeaders section of the new options file.

    The file contains commented out examples of different security headers.

    1. Duplicate the desired security header, uncomment, and modify its value according to your deployment.
    Note:

    The use of indentation in the options.yml file is important. When removing comment hashes, ensure that you retain valid YAML file indentation structure.

    The following example illustrates the X-Frame-Options header duplicated and modified.

    securityHeaders:
  # Configure the values that the Policy Editor will set in its
  # responses for the X-Frame-Options, Content-Security-Policy, and/or
  # Access-Control-Allow-Origin HTTP security headers here.
  #
  # X-Frame-Options: "deny"
  # Content-Security-Policy: "default-src https:"
  # Access-Control-Allow-Origin: "*"
  X-Frame-Options: "sameorigin"
  3. Stop the Policy Editor. 
    $ bin/stop-server
  4. Run setup using the --optionsFile argument. 
    $ bin/setup demo \
  --adminUsername admin \
  --generateSelfSignedCertificate \
  --decisionPointSharedSecret pingauthorize \
  --hostname  <pap-hostname> \
  --port  <pap-port> \
  --adminPort  <admin-port> \
  --licenseKeyFile  <path-to-license> \
  --optionsFile my-options.yml
  5. Start the Policy Editor. 
    $ bin/start-server