This guide explains how to configure Jetty in Ambience 4.x to add missing security headers flagged by vulnerability scans. Specifically, it covers setting the HSTS headers, Content‑Security‑Policy (CSP) and X‑Frame‑Options headers using Jetty’s RewriteHandler .
Edit jetty/elx-base/etc/jetty-rewrite.xml, and add in:
To Include HSTS headers:
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000; includeSubDomains</Set>
</New>
</Arg>
</Call>
For X‑Frame‑Options:
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">X-Frame-Options</Set>
<Set name="value">SAMEORIGIN</Set>
</New>
</Arg>
</Call>
For Content‑Security‑Policy (CSP):
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Content-Security-Policy</Set>
<Set name="value">default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'self'</Set>
</New>
</Arg>
</Call>
Your response headers will now include:
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'self'
Note:
Please ensure to restart the server after making these changes.