This guide explains how to configure Jetty in Ambience 4.x to add missing security headers flagged by vulnerability scans. Specifically, it covers setting the Content‑Security‑Policy (CSP) and X‑Frame‑Options headers using Jetty’s RewriteHandler .
Edit jetty/elx-base/etc/jetty-rewrite.xml, and add in:
For X‑Frame‑Options:
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">X-Frame-Options</Set>
<Set name="value">SAMEORIGIN</Set>
</New>
</Arg>
</Call>
For Content‑Security‑Policy (CSP):
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Content-Security-Policy</Set>
<Set name="value">default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'self'</Set>
</New>
</Arg>
</Call>
Your response headers will now include:
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'self'
Note:
Please ensure to restart the server after making these changes.