Missing HTTP Headers – Implementation
Implementation Approach
To enhance application security, the following HTTP headers should be configured in the application.
Where to Add
File Location:
<AE_Application>/aeengine/WEB-INF/spring/security/spring-security.xml
Configuration
Add the following under the <headers> section:
<headers>
<cross-origin-embedder-policy policy="require-corp" />
<cross-origin-resource-policy policy="same-origin" />
<cross-origin-opener-policy policy="same-origin" />
<permissions-policy policy="geolocation=(self 'https://ae.com')" />
</headers>
Header Details
-
Cross-Origin-Embedder-Policy (COEP) →
require-corp
Controls embedding of cross-origin resources -
Cross-Origin-Resource-Policy (CORP) →
same-origin
Restricts resource sharing to same origin -
Cross-Origin-Opener-Policy (COOP) →
same-origin
Protects against cross-origin attacks (e.g., tab isolation) - Permissions-Policy →
geolocation=(self 'https://ae.com')Controls browser feature access (e.g., geolocation)You need to configure the
permissions-policyheader to control which domains are allowed to access browser geolocation.In the line:
-
geolocation→ controls access to location (GPS) -
self→ allows your own application domain -
'https://ae.com'→ allows that specific external domain
✅ What you actually need to add
👉 Replace
'https://ae.com'with the actual trusted domain (if any), or remove it.Best options:
1. If geolocation is NOT required (recommended for VAPT):
<permissions-policy policy="geolocation=()" />2. If only your application needs it:
<permissions-policy policy="geolocation=(self)" />3. If external domain is required:
⚠️ Key Point
-
Do not keep
ae.comunless it is actually used - Always allow only required domains (principle of least privilege)
-
Customization
-
The
policyvalues should be updated based on client requirements and allowed domains