HTTP Headers
3 min read
Header HTTP adalah bagian inti dari permintaan (request) dan respon (response) dalam komunikasi HTTP. Header ini membawa informasi tambahan, seperti browser yang digunakan oleh klien, halaman yang diminta, server yang melayani, dan lain-lain.
Berikut ini adalah header-header utama yang digunakan di environment platform saat kamu melakukan deployment aplikasi:
| Header | Description | Value |
|---|---|---|
| host | Specifies the host and port number of the resource (server) being requested. | {envName}.{platformDomain} |
| x-forwarded-proto | Identifies the protocol (HTTP or HTTPS) that connects to your proxy or load balancer. | http/https |
| x-forwarded-for | Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or load balancer. | xx.xx.xx.xx, xx.xx.xx.xx IP or IPs chain (if a request goes through multiple proxies) |
| x-real-ip | The ending IP address in the x-forwarded-for chain, i.e. the most recent proxy of a client connecting to a web server. | xx.xx.xx.xx the right-most IP address in x-forwarded-for |
| x-host | The originating domain name of the server (for virtual hosting) and optionally the TCP port number. | {envName}.{platformDomain} |
| x-uri | Identifies a name or a web resource. | / |
💡 TIP
Beberapa header keamanan tambahan juga digunakan pada stack tertentu di platform untuk meningkatkan perlindungan aplikasi.
Daftar header HTTP yang didukung di platform bisa berbeda tergantung pada topologi environment yang kamu gunakan. Karena perbedaan akses eksternal (melalui resolver/SLB atau public IP), ada empat skenario utama yang bisa terjadi, masing-masing dengan kombinasi header yang didukung:
| Topology | Scheme | Supported Headers |
|---|---|---|
| Single application server |
 |
host x-forwarded-proto x-real-ip x-forwarded-for x-host |
| Load balancer with application servers |
 |
host x-real-ip x-host x-forwarded-for x-uri x-forwarded-proto |
| Application server with public IP |
 |
host |
| Load balancer with public IP and application servers |
 |
host x-real-ip x-host x-forwarded-for x-uri x-forwarded-proto |
Security Headers #
Kamu bisa dengan mudah mengatur security header melalui file konfigurasi yang sesuai. Lokasi file ini berbeda-beda tergantung pada jenis server yang digunakan di environment kamu:
- Apache (PHP, Ruby, Python), MySQL, MariaDB:
/etc/httpd/conf.d/10-shared_headers.conf
- NGINX (PHP, Ruby) dan LEMP stack:
/etc/nginx/conf.d/headers/10-shared_headers.conf
- LiteSpeed dan LLSMP:
/var/www/conf/vhconf.xml
(pengaturan ini hanya bisa dilakukan melalui panel admin LiteSpeed)
- Tomcat dan TomEE:
/opt/tomcat/conf/web.xml
📝 NOTE
- Pemrosesan header untuk server berikut ini harus dilakukan secara manual di dalam aplikasi kamu sendiri, yakni Node.js, Golang, .NET, JavaEngine, SpringBoot
Artinya, Kamu perlu menambahkan kode khusus untuk mengatur header keamanan langsung di dalam aplikasi, bukan lewat konfigurasi server.
- Sementara itu, untuk stack Tomcat dan TomEE, beberapa header sudah diaktifkan secara default, yaitu: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Strict-Transport-Security (hanya untuk koneksi SSL). Header lain dapat diaktifkan secara manual jika diperlukan.
Jangan lupa untuk me-restart server Kamu setelah mengubah file konfigurasi, supaya perubahan header bisa diterapkan dengan benar.
Berikut ini adalah daftar tambahan HTTP header yang secara default digunakan di stack server yang sudah disebut sebelumnya:
| Header | Description | Value |
|---|---|---|
| Cross-Origin-Embedder-Policy | Allows the server to declare an embedded policy for the given document. | unsafe-none; |
| Cross-Origin-Opener-Policy | Prevents other domains from opening/controlling a window. | same-origin-allow-popups |
| Cross-Origin-Resource-Policy | Prevents other domains from reading the response of the resources to which this header is applied. | same-origin |
| Content-Security-Policy | Controls resources the user agent is allowed to load for a given page. Disabled by default. | frame-ancestors ‘self’;frame-src ‘self’; |
| Expect-CT (only with SSL enabled) | Allows sites to enforce the Certificate Transparency requirements, which prevents the use of miss issued certificates for the site (i.e requires that any certificate for that site appears in public CT logs). | max-age=3600, enforce |
| Permissions-Policy | Provides a mechanism to allow and deny the use of browser features in its frames and embedded iframes. | payment=(self) geolocation=(self) |
| Strict-Transport-Security (only with SSL enabled) | Forces communication using HTTPS instead of HTTP. | max-age=5; includeSubDomains |
| X-Content-Type-Options | Disables MIME sniffing and forces the browser to use the type given in Content-Type. | nosniff |
| X-Frame-Options | Indicates whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>. | SAMEORIGIN |
| X-Permitted-Cross-Domain-Policies | Specifies if a cross-domain policy file (crossdomain.xml) is allowed. The file may define a policy to permit clients to handle data across domains that would otherwise be restricted due to the Same-Origin Policy. | none |
| Referrer-Policy | Controls how much referrer information (sent via the Referer header) should be included with requests. | strict-origin-when-cross-origin (default) |
| X-XSS-Protection | Enables cross-site scripting filtering. | 1; mode=block |
Powered by BetterDocs