Search Security Header Level

Controls the level of the HTTP headers sent by the search script. The dowalk (admin) script always sets the default level of HTTP security headers.

Choose None to not send the HTTP security headers.

Choose Default to send the default level of security headers. These prevent the pages from being included as an IFRAME to prevent clickjacking, and content type sniffing. The actual headers sent are subject to change over time as security practices evolve. Current headers are: 

X-Frame-Options: Deny
Content-Security-Policy: frame-options 'self'
X-Content-Type-Options: nosniff

Choose Strict to send more stringent security headers, including enforcing HSTS. Note that if users receive the HSTS header via https then it is not possible to undo the effect on the users browser. Most notably you can not revert from a valid certificate to an unsigned certificate, or disable https. 

Strict-Transport-Security: max-age=31536000

Note that the appliance's Apache configuration also specifies these headers, so non-/texis, static content also has the security headers. If you wish to disable the headers, you'll also need to manage the Apache configuration via Webmin.

Copyright © Thunderstone Software     Last updated: Jul 2 2025

 

Copyright © 2025 Thunderstone Software LLC. All rights reserved.