Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
World Wide Web Consortium Standards
Connection Server and security server comply with certain World Wide Web Consortium (W3) standards.
n
Cross-Origin Resource Sharing (CORS), which constrains client-side cross-origin requests, is enabled by
default. You can disable it by adding the entry enableCORS=false to locked.properties.
n
Content Security Policy (CSP), which mitigates a broad class of content injection vulnerabilities, is
enabled by default. You can disable it by adding the entry enableCSP=false to locked.properties.
Cross-Origin Resource Sharing
The Cross-Origin Resource Sharing (CORS) feature regulates client-side cross-origin requests by providing
policy statements to the client on demand and by checking requests for compliance with the policy. This
feature is enabled by default.
Policies include the set of HTTP methods that can be accepted, where requests can originate, and which
content types are valid. These vary according to the request URL, and can be recongured as needed by
adding entries to locked.properties.
An ellipsis after a property name indicates that the property can accept a list.
Table 7‑1. CORS Properties
Property Value Type Master Default Other Defaults
enableCORS true
false
true n/a
acceptContentType... http-content-type application/x-www-
form-
urlencoded,applicatio
n/xml,text/xml
n
admin=application/x
-amf
n
helpdesk=applicatio
n/json,applicatio
n/text,applicatio
n/x-www-form-
urlencoded
n
view-vlsi-
rest=application/js
on
acceptHeader... http-header-name * n/a
exposeHeader... http-header-name * n/a
filterHeaders true
false
true n/a
checkOrigin true
false
true n/a
allowCredentials true
false
false admin=true
broker=true
helpdesk=true
misc=true
portal=true
saml=true
tunnel=true
view-vlsi=true
view-vlsi-rest=true
allowMethod... http-method-name GET,HEAD,POST misc=GET,HEAD
saml=GET,HEAD
View Security
36 VMware, Inc.