Set HTTP secure headers

Safeguard server and user data with HTTP secure headers.

HTTP secure headers protect user privacy by encrypting user-server communication with Strict-Transport-Security (HSTS), by specifying the trusted content from permitted sources that loads onto the web page with Content-Security-Policy (CSP), and by blocking content file types related to confusion attacks with X-Content-Type-Options.

To guard against possible malicious attacks that can breach web security, Oracle highly recommends adding Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), and X-Content-Type-Options security headers.

You can configure Oracle HTTP Server (OHS) during the WebLogic install.

To add the Strict-Transport-Security (HSTS) header, edit the ssl.conf file in the OHS domain instance directory:

 /u01/app/oracle/product/Middleware12c/user_projects/domains/empirica/
config/fmwconfig/components/OHS/instances/ohs1

Add the following node and replace and replace example:8002 with the actual domain URL and port number:

<VirtualHost example.com:8002> Header always set Strict-Transport-Security 
"max-age=63072000; preload; includeSubDomains" </VirtualHost>

To add the Content-Security-Policy (CSP) and X-Content-Type-Options headers, edit the httpd.config file in the OHS domain instance directory:
```
/u01/app/oracle/product/Middleware12c/user_projects/domains/
empirica/config/fmwconfig/components/OHS/instances/ohs1
```

If the following node doesn't already exists, add:

<IfModule mod_headers.c> Header always set X-Content-Type-Options
nosniffHeader set Content-Security-Policy "default-src 'self'"</IfModule>

For details, please refer to Administering Security for Oracle HTTP Server at https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/12.2.1.4/secure-ohs/introduction-oracle-http-server-security.html.