The web server in the runtime system which provides the WebVisu can be configured in such a way that additional HTTP Security headers are provided. This can be used, for example, to enable additional security features such as X-Frame-Options.
To enable one or more headers, you can configure the necessary settings in the installation directory of CODESYS in the configuration file of the CODESYS Control Win V3 runtime system:
<installation folder> /GatewayPLC/CODESYSControl.cfg
Specify the settings under the [CmpWebServer] section.
For the web browser (part of the CODESYS Control Win V3 runtime system), a default value is not specified for the HTTP Security header. The header is not enabled by default because the functionality depends too much on the environment.
For more information, see:
CODESYS Control Win V3
Documentation for the web server in the installation directory (../GatewayPLC/Documentation/WebServerSSL_xx.pdf)
Example
The following code snippet is an excerpt from the Codesyscontro.cfg configuration file. The X-Content-Type-Options header is enabled.
[CmpWebServer]
AdditionalHeader.0.Header="X-Content-Type-Options: nosniff"
AdditionalHeader.0.FileFilter.0="WebVisuV3.bin"
AdditionalHeader.0.ExtensionFilter.0="xml"
AdditionalHeader.0.ExtensionFilter.1="js
AdditionalHeader.<X>.Header is always required.
AdditionalHeader.<X>.FileFilter.<Y> restricts AdditionalHeader.<X>.Header to the specified file name (optional).
AdditionalHeader.<X>.ExtensionFilter.<Y> restricts AdditionalHeader.<X>.Header to the specified file extension (optional).
AdditionalHeader.<X>.Header is used for all files when AdditionalHeader.<X>.FileFilter and AdditionalHeader.<X>.ExtensionFilter are not configured.
The X-Content-Type-Options header can be inserted for "WebVisuV3.bin" and all files which end with ".xml" and ".js".