HAProxy Configuration Settings

HAProxy configurations can be adjusted by making changes to /etc/brainspace/haproxy/brainspace-haproxy.cfg on the Application Server.

We advise that before making any changes to this file you create a backup of the current file in case you need to revert back.

We also recommend, if going to make changes to the brainspace-haproxy.cfg file, that you refer to the HAProxy documentation found here: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html.

A common place that changes are made to enhance security is:

Content-Security-Policy Header

Brainspace does not come pre-configured with any CSP headers since the configuration for many of them are specific to the environment where Brainspace is deployed. CSP Headers can be added to the HAProxy configuration to meet your security policies.

Examples of other headers already in the default HAProxy configuration:

#### Strict-Transport-Security
http-response set-header Strict-Transport-Security max-age=86400;\ includeSubDomains;

## OWASP Best Practices: (https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)
    http-response add-header X-Content-Type-Options nosniff
    http-response add-header X-Permitted-Cross-Domain-Policies none

An example of Cache Control and Pragma http headers that could be added:

## Cache Control
    http-response add-header Cache-Control max-age=0\ no-cache\ no-store\ private\ must-revalidate
    http-response add-header Pragma no-cache

Note

All examples given are just examples and are not recommendations. You should only apply changes as needed and within your company’s security policy and guidelines.

Additionally, any changes made to the brainspace-haproxy.cfg file may need to be re-added after any upgrade to a new version of Brainspace is performed.