Some use case might require that Terminal Service Plus web server returns one or more custom HTTP Headers in addition to the standard ones, as example few penetration tests may want to see specific headers in HTTP response. This feature answers this specific need.


To add your own custom HTTP Header, you need to:


1. Create the file "headers.bin" in the folder "*\Clients\webserver" so that you get "*\Clients\webserver\headers.bin"


2. Add the custom headers separated by new line, like in example below: 

X-XSS-Protection=1; mode=block
X-Content-Type-Options=nosniff

X-Frame-Options=SAMEORIGIN

Content-Security-Policy=frame-ancestors 'self'

Expect-CT=max-age=86400, enforce

and so on you wish as on example: header_name=header_content


3. Restart HTML5 webserver (AdminTool > Web > Restart Web Servers) to apply changes



Remember, frenetic hunting for security may have bad impact on HTML5 performance or make it totally unusable. We do not maintain a list of good practice headers, so add all your headers at your own risk since we do not provide support in case of breakage except recommending to revert all such changes!


Since HTML5 engine v6.23 it is possible to define leading tags BROWSER_ONLY and HTML5_ONLY as on example

BROWSER_ONLY X-XSS-Protection=1; mode=block

HTML5_ONLY X-Content-Type-Options=nosniff

etc., in such case the headers for internal webserver and HTML5 requests will be fetched from different lists else headers will be used for both instances.

PS: remember, by usage of third part webservers like IIS/Apache etc. the webserver headers from headers.bin are not effective for such third part webserver instance served files therefore you must setup these headers separately in target third part webserver.


To activate HSTS (Strict-Transport-Security) header or/and OSCP stapling please follow next FAQ, in such case HSTS header will be served only for SSL(HTTPS) protocol and avoided for HTTP, if you add HSTS headers by headers.bin then this may cause the browser to fire unwished browser log messages since HSTS header should be avoided for usage in HTTP protocol.