What are the considerations and potential concerns related to the implementation of HTTP Security Headers?
It has been noted that some concerns may arise regarding the configuration of HTTP Security Headers. In response, a thorough review has been conducted to address those concerns and provide clarification on the implementation of various security headers in UiPath software, particularly for the Orchestrator.
- X-XSS-Protection: While this header is now deprecated and not supported by most modern web browsers, our applications implement several other XSS protection measures. If the inclusion of the X-XSS-Protection header is still required, it can be added to the web.config file. This addition may cause duplicate headers on some pages, but it will not impact the application's functionality.
- Content Security Policy (CSP): We include a robust CSP, which balances strict security controls with broad flexibility for users. As the Orchestrator API responses only return JSON without active content, adding a CSP would not provide additional security. Moreover, monthly manual penetration testing follows best security practices.
- Strict Transport Security (HSTS): HSTS is already in place in UiPath's Orchestrator at the login point. Adding it to pages loaded after login is not required, as they are dynamic and based on an established session. However, adding it won't harm the software and will only create duplicate headers in certain cases.
- 'X-Content-Type-Options' Header: The Orchestrator uses a JSON API with the Content-Type: application/json set in the response. The 'nosniff' directive does not add extra security, as the content type has already been defined.
- Referrer-Policy Response Header: As users are not permitted to enter URLs in any application features in UiPath software, the Referrer-Policy header is not utilized, and no referrer information is leaked.
UiPath software's current configuration of HTTP Security Headers has been examined and determined to provide a secure environment. Some customization options are available if needed, but the existing setup follows established best practices for ensuring optimal security.