Like never before, your audience expects the digital products and services that they use to be safe. We can enable additional security settings from our side to strengthen the safety of your content, and to avoid vulnerabilities. In this article, we go over these security enhancements.
💡 This feature is not generally available. That’s because some security headers, such as strict with HSTS, restrict the ability to embed your Docs on a website. If you want to enable these security settings, please contact our Support team.
In this article
Which security settings do we support?
Our additional security settings allow you to prevent your Foleon Doc from being placed in an iFrame. This blocks malicious internet users from iFraming a Foleon Doc and adding a layer on top of it to steal readers' information, for example when they're filling in forms.
Next to that, we enable you to enforce HTTPS on your own custom domain, with an HSTS (HTTP Strict Transport Security) security header. HTTPS is always enforced when you publish on the (free) Foleon domain, but not if you're publishing on your own custom domain.
⚠️ The project settings feature in the image below is only visible to the Foleon team. If you're interested in enabling these security settings, please contact our Support team.
We go over the different security settings below:
-
Strict — Deny X-Frame-Options, enable X-Content-Type-Options, enable X-XSS-Protection.
-
Deny X-Frame-Options is a header that forbids a page from being displayed in a frame.
-
Enable X-Content-Type-Options is a header that allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
-
Enable X-XSS-Protection is a header that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
-
-
Strict with HSTS — (SSL/TLS required) Enable HSTS, deny X-Frame-Options, enable X-Content-Type-Options, enable X-XSS-Protection.
-
HSTS (HTTP Strict Transport Security) is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates.
-
How to enable these security settings
These security settings are not generally available, which means they won't be visible to you in the project settings. They can only be set on request. If you're interested in enabling these security settings, please contact our Support team.
⚠️ You can only request these security settings when you have secured your custom domain with an SSL/TLS certificate. Without it, your live Foleon Docs can become unavailable entirely.
After the security settings have been set, you'll need to republish all live Foleon Docs in your project to activate them. When you've republished your Foleon Doc(s), you can check if the security settings are active with an HSTS test service such as gf.dev.
Security headers specifics
When a Foleon Doc’s HTTP headers are set to strict, they're specified as follows:
-
Access-control-allow-credentials: false
-
Access-control-allow-headers: Origin, X-Requested-With, X-HTTP-Method-Override, Authorization, Content-Type, Accept
-
Access-control-allow-methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
-
Access-control-allow-origin: *
-
Access-control-expose-headers: Date
-
Access-control-max-age: 0
-
Content-type: text/html; charset=UTF-8
-
Date: Tue, 15 Feb 2022 13:48:06 GMT
-
Referrer-policy: no-referrer-when-downgrade
-
Strict-transport-security: max-age=15724800; includeSubDomains
-
X-content-type-options: nosniff
-
X-frame-options: SAMEORIGIN
-
X-XSS-protection: 1
Security headers Foleon Docs don’t specify
At the moment, we don't support the following security headers:
-
Cache-Control — It doesn’t impact security for Foleon-based web pages — Foleon leaves it up to the browser.
-
Content-Security-Policy — This security header is very similar to X-XXS-Protection. An internal investigation has shown there is no security benefit to implementing this.
-
Expect-CT — This header became obsolete in June 2021. For more information, please consult this article from Mozilla.
-
Feature-Policy — This header is still in its experimental phase.
💡 Foleon meets industry-standard level security, regardless of not supporting the security headers listed above. We validate and update our security every year through both internal and external penetration tests — following ISO27001 related structures and processes.