The HTTP Strict Transport Security (HSTS) is available as an option for N4 security. HSTS is a simple standard to ensure that browsers always connect to a website over HTTPS.
The HSTS policy (Strict-Transport-Security header) is returned to the user agent (browser) on a secure transport (SSL/TLS) only, so at least one request to the website should be made over SSL/TLS. Only when the user agent receives this policy without any warnings or errors, the user agent sets the HSTS policy for this website. The HSTS policy will be rejected by the browser if there are any certificate validation errors, such as when self-signed certificates are used.
This option is enabled by default in the N4 web.xml and is available when users connect directly to the N4 node. If you are using a load balancer/reverse proxy for N4, consult the documentation for your load balancer to enable the HSTS policy at the load balancer/reverse proxy. Information can be found at other third-party websites such as the following:
https://tools.ietf.org/html/rfc6797
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter
https://https.cio.gov/hsts/
https://support.ptc.com/help/thingworx_hc/thingworx_8_hc/en/index.html#page/ThingWorx/Help/Composer/Security/enabling_hsts_in_apache_tomcat.html
Enable cross-origin resource sharing (CORS)
The cross-origin resource sharing (CORS) filter safely allows restricted resources on a web page to be requested from outside sources. Navis strongly recommends that you enable this on your load balancer. If you are using a load balancer for WebSockets (for Control Room UI or VMT), then you may need to update the CORS filter setting to access for the WebSocket. If you are not using a load balancer, then you should re-enable CORS on the N4 Tomcat nodes.
Enable CORS for Apache load balancer (on page 1)
Enable CORS for Tomcat (on page 1)
Enable CORS for Apache load balancer
The cross-origin resource sharing (CORS) security filter safely allows restricted resources on a web page to be requested from outside sources. Navis strongly recommends that you enable this on your load balancer. If you are not using a load balancer, you should enable this on your N4 Tomcat nodes.
To enable CORS on the Apache load balancer:
In your Apache home directory, go to the \conf directory and edit the httpd.conf configuration file.
Make sure that mod_headers.so is enabled:
LoadModule headers_module modules/mod_headers.so
Add the following CORS configuration for the /apex path.
<LocationMatch "/apex">
Header always set Access-Control-Allow-Origin "https://load-balancer-fqdn-1,https://load-balancer-fqdn-2, https://load-balancer-fqdn-3"
Header always set Access-Control-Allow-Methods "GET,POST,PUT,DELETE,HEAD,OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type,X-Requested-With,Accept,Authorization,Origin,Access-Control-Request-Method,Access-Control-Request-Headers"
Header always set Access-Control-Expose-Headers "Access-Control-Allow-Origin,Access-Control-Allow-Credentials"
</LocationMatch>
Replace https://load-balancer-fqdn with the load balancer’s fully qualified domain name or IP address. Use a comma-separated list for multiple domain names. Using the asterisk (*) as the allowed origin would allow CORS requests from any origin.
If the load balancer does not have SSL enabled, then the allowed origin should be specified using HTTP protocol instead of HTTPS (eg. http://load-balancer-fqdn)
Restart the load balancer.