Overview
Some authorities require domain compliance for HTTP headers. This article shares the process of setting configuration variables for HTTP Security Headers.
Prerequisite
Access to the Kerio Connect server store.
Process
Follow these steps:
- Stop the Kerio Connect service.
- Navigate to the Kerio Connect installation folder. The default locations for different operating systems are:
- Windows:
C:\Program Files\Kerio\MailServer\
- Mac OS X:
/usr/local/kerio/mailserver/
- Linux:
/opt/kerio/mailserver/
- Windows:
- Open mailserver.cfg file with administrator/root privileges.
- Navigate to the
HTTP
table and configure the following variables as indicated below:<variable name="AppendHeaderAccessControlAllowOrigin"></variable>
<variable name="AppendHeaderAccessControlAllowCredentials"></variable>
<variable name="AppendHeaderXFrameOptions">SAMEORIGIN</variable>
<variable name="AppendHeaderXUACompatible">IE=edge</variable>
<variable name="AppendHeaderStrictTransportSecurity">max-age=31536000; includeSubDomains</variable>
<variable name="AppendHeaderContentSecurityPolicy">default-src 'self' 'unsafe-eval' 'unsafe-inline' *.kerio.com; img-src * http: https: data:;</variable>
<variable name="AppendHeaderXContentTypeOptions">nosniff</variable>
<variable name="AppendHeaderXXSSProtection">1; mode=block</variable>
- Start the Kerio Connect service.
Confirmation
Follow these steps to confirm:
- Open the Security Headers website.
- Enter your domain and click Scan.
- The outcome is Grade A, which means all HTTP Security Headers are applied correctly, as seen in an example below.
- The outcome is Grade A, which means all HTTP Security Headers are applied correctly, as seen in an example below.
- Scroll down to view the warnings, as seen in an example screenshot below.
Note: Referrer-Policy and Permissions-Policy are optional headers.
Related Article
Missing Email Signature and Images After Kerio Connect 9.2.9 Upgrade