Limitations

By default, OneSpan User Websites uses several HTTP response headers related to security to protect the web applications against malicious attacks. This can impact the extent of customization allowed and site access in general.

Content-Security-Policy

The Content-Security-Policy response header helps protecting web applications against cross-site scripting (XSS), clickjacking, and code injection attacks. By default, the OneSpan User Websites web applications set this response header to allow the loading of resources from the same origin only. Same origin means the same scheme (protocol), the same host, and the same port as the OneSpan User Websites web application.

This means that if you customize OneSpan User Websites and want to include other resources, e.g. style sheets, images, or scripts, you need to store those resources at the same origin as your customized version of OneSpan User Websites. Including external script libraries, such as jQuery, will not work if loaded from a different origin.

This behavior is implemented in the OneSpan User Websites web application and cannot be changed.

Referrer-Policy

The Referrer-Policy response header determines how much referrer information is included in the Referer header. By default, OneSpan User Websites sets this response header to no-referrer. This omits the Referer header and excludes any referrer information from requests.

This behavior is implemented in the OneSpan User Websites web application and cannot be changed.

Strict-Transport-Security

The Strict-Transport-Security response header instructs web browsers to access the site only via HTTPS. By default, OneSpan User Websites sets this response header and specifies a timeout value of 31536000 seconds. This means that web browsers should remember that setting for a year and automatically change site access attempts to HTTPS.

This behavior is configured in the settings of the embedded Apache Tomcat web application server included in the OneSpan User Websites Setup. This limitation may not apply if you deploy the web applications manually on a web application server that has a different configuration.

X-Frame-Options

The X-Frame-Options response header helps to protect web applications against clickjacking attacks. By default, OneSpan User Websites sets this response header to deny. This prevents web browsers from rendering OneSpan User Websites pages inside of frame, iframe, or object elements of other web pages, not even web pages of the same site.

This means, for instance, that you cannot embed OneSpan User Websites in an intranet portal (using frames).

This behavior is configured in the settings of the embedded Apache Tomcat web application server included in the OneSpan User Websites Setup. This limitation may not apply if you deploy the web applications manually on a web application server that has a different configuration.