Client settings

Enable HTTP compression (Web-only)

Select this box to use HTTP compression to reduce the number of bytes being transferred between the ZIETrans runtime, which is running on the WebSphere® Application Server, and the user's browser. This reduces the transfer time between the ZIETrans runtime and the browser (which improves response time) and reduces the number of bytes flowing in the network (which improves network utilization).

Note:

To determine if compression is working properly and to see before and after page sizes in bytes, you can enable tracing by updating the trace.UTIL line in the runtime.properties file (or runtime-debug.properties file if running in debug mode in the ZIETrans Toolkit). For example: trace.UTIL=7. For more information, see Runtime properties files. In the trace file, search for the runtime.filters.CompressionFilter trace entries. For example:

+--------------------------------------+
Text UTIL runtime.filters.CompressionFilter.doFilter()
 17.50.10.140 11/27/06 Servlet.Engine.Transports : 1
enable compression: true 0000CBAx-81SRWWVmQfQ8-_47oK:-1

+--------------------------------------+
Text UTIL runtime.filters.CompressionFilter.doFilter()
 17.50.10.140 11/27/06 Servlet.Engine.Transports : 1
size before: 25315 0000CBAx-81SRWWVmQfQ8-_47oK:-1

+--------------------------------------+
Text UTIL runtime.filters.CompressionFilter.doFilter()
 17.50.10.140 11/27/06 Servlet.Engine.Transports : 1
size after: 4264 0000CBAx-81SRWWVmQfQ8-_47oK:-1

This feature is not applicable when running the ZIETrans application on WebSphere® Portal Server.
ZIETrans ensures the "Accept-Encoding" HTTP header contains "gzip" before compressing a page.
You must restart the application server if you want changes made to compression-related settings picked up while the application is running on the server.
JavaScript™ (.js) and cascading stylesheet (.css) files are not compressed by this new function. You must configure HTTP compression within your HTTP server to provide compression for these types of files. See the documentation of your HTTP server for more information.
This setting can only be specified at the project level. It cannot be specified for individual transformation JSPs

Enable Minify JavaScript Feature (Web-only)

Select the check box to enable the minify JavaScript file feature on the ZIETrans project. The minify JavaScript feature will remove the unnecessary code contents like code comments and extra space (formatting), convert variables into shorter variables and so on, without affecting the processing of the resources by the browser in ZIETrans.

Note:

If ‘Compress default javascript’ option is selected, then it will compress the ZIETrans default JavaScript file, which is under the below ZIETrans project folder :
```
\Web Content\common
\Web Content\common\scripts
\Web Content\ZIETransadmin\scripts
```
If ‘Compress all javascript’ option is selected, then it will compress all the ‘ZIETrans JavaScript files which are located at the below ‘ZIETrans project’ folder:
```
\Web Content\
```
Users who do not want to get compressed javascript file, can set the property, ‘avoidCompressJS’, in the Source tab of Project, to manually mention the names of the JavaScript files with relative path in value (separated by comma (,)). (Already compressed or minified JS file names (abc.min.js) must be given in values to avoid being compressed again, as they are already compressed). For example:
```
<setting name="avoidCompressJS" value="\bootstrap.min.js,\common\bidishape.js"/>
```
After selecting these features, while doing an ‘Export project’, a dialog box showing the ‘Compress JavaScript progress bar’ will be displayed and the process of compression for the javascript file will begin as per the given options.
In a workspace, if a system crash, IDE crash or an abnormal condition occurs during a JavaScript compress process, the javascript files which already got compressed are reverted back to their original stage in the same project with the same workspace by default, when the IDE is restarted. system will take care to revert back original file in same project. (The crash recovery of the project to the original stage will occur only if at least one file related to that project is open at the time of system crash, for which, an ‘export project’ operation is being carried out by enabling the compress JavaScript option).
If an error is displayed on the console for a javascript definition or declaration during the Compress operation, then all the errors should be fixed for the file before re-running the export project operation. An Example of Error during Compress operation is shown below:
```
INVALID_OCTAL_LITERAL. This style of octal literal is not supported in strict mode. at lxgwfunctions.js line 53 : 15
```
The Compress operation of the javascript file has failed due to an error in one of the javascript files. Correct those JS and re-run the export project.
This feature is applicable when running the ZIETrans application on a WebSphere Portal Server.

Enable same origin policy protection (Web-only)

Select this box to prevent CSRF attack on the ZIETrans, which is running on a ZIETrans supported application Server, and the user's browser. This will discard the request that is originated from a URL that has no protocol, or request originated from an unauthorized origin/website.

Note:

To protect against CSRF attack, declare the ZIETrans running URL as the ‘param-value’, in web.xml under the ‘HatsCSRFValidationFilter’ section, for param-name= target.origin. For example:
```
<param-value>http://localhost:9080/Test/entry</param-value>
```
To determine if the CSRF validation is working properly, uncheck the box in client setting and attempt a CSRF attack. This will now allow the modification of ZIETrans data by a different source. The same operation will not be allowed from a different origin, if the client setting check-box is selected.
This feature is not applicable when running the ZIETrans application on a WebSphere Portal Server.
The application server must be restarted for the changes made to origin policy-related settings to be picked up while the application is running on the server.
After enabling origin policy, the default URL, /entry, /ZIETransadmin/admin , /index.jsp and the default project context path ( http://localhost:9080/Test/ ) will be secure from CSRF attack if the origin policy is enabled.
Users can customize to secure more custom URLs. If a user has added a new servlet, then it has to be configured in web.xml file, as shown below to secure it from a CSRF attack.For example:
```
http://localhost:9080/Test/transfer
   <filter-mapping>
			<filter-name>HatsCSRFValidationFilter</filter-name>
		  <url-pattern>/transfer</url-pattern>
   <filter-mapping>
```
Users can enable multiple origin sources by adding the source list as the ‘param-value’ while configuring, under the filter ‘HatsCSRFValidationFilter’ section, against param-name = source.origin. For example:
```
<param-value>http://ZIETrans:9081/index, http://ZIETransapp.com/, http://citi.com</param-value>
```

Enable token based protection (Web-only)

Select this box to prevent CSRF attack on the ZIETrans, which is running on a ZIETrans supported application Server, and the user's browser. This will discard the request even if the attacker is able to bypass the same origin policy.

Note:

To determine if the CSRF validation is working properly, uncheck the box in client setting and try a CSRF attack. This will permit the modification of ZIETrans data by a different source, if the ‘Enable same origin policy’ option is unchecked. The same operation will not be allowed from a different origin, if this check-box is selected, and if an attacker is able to bypass the origin policy, then a token based protection will not allow to modify ZIETrans data by CSRF attack.
This feature is not applicable when running the ZIETrans application on a WebSphere Portal Server.
The application server must be restarted for the changes made to token based settings to be picked up while the application is running on the server.
Token based check, when enabled, will secure the default URL /entry, /index.jsp and the default project context path from CSRF attack, and if the origin policy is enabled then /entry, /ZIETransadmin/admin , /index.jsp and the default project context path ( http://localhost:9080/Test/ ) will be secured from CSRF attack.
Users can customize to secure more custom URLs. If a user has added a new servlet, then it has to be configured in web.xml file, as shown below to secure it from a CSRF attack, and has to add the INPUT HIDDEN FORM field name HatsCSRF in the respective jsppage and the value can be appended by the HatsCSRFValidationFilter token..For example:
```
http://localhost:9080/Test/transfer
   <filter-mapping>
			<filter-name>HatsCSRFValidationFilter</filter-name>
		  <url-pattern>/transfer</url-pattern>
   <filter-mapping>
<INPUT TYPE="HIDDEN" NAME="HatsCSRF" VALUE="">
```
If both of the protection features have been enabled, then unknown sources cannot modify ZIETrans data, and if an attacker is able to bypass the same origin policy, then the token based protection will restrict the modification of ZIETrans user data.

Suppress sending unmodified fields (Web-only)

Select this box to specify that ZIETrans should not send modified input field data to the host when the contents of the field are identical to the data supplied by the host.

Clear this box to specify that ZIETrans should send modified input field data even when the contents of the field are identical to the data supplied by the host. For example, if the host filled a field with ABC and the user typed ABC into the field, the typed data will be returned to the host.

Note: This setting can only be specified at the project level. It cannot be specified for a single transformation JSP.

Enable XSS Policy protection (Web-only)

In the web.xml file, provide the below instructed value to protect against XSS attack on the ZIETrans, which is running on a ZIETrans supported application Server, and the user's browser. This will discard XSS attack.

Note:

To protect against XSS attack, in the web.xml file, under the filter ‘HatsHeaderSecurityFilter’ section, update the ‘param-value’ from “NO” to “YES”. Listed three policies can be enabled and disabled independently by giving respective value “YES” or “NO”.
- "Content-Security-Policy"
- "X-Content-Type-Options"
- "X-XSS-Protection"
The policies are disabled by default. For example:
```
   <param-value>YES</param-value>
```
To determine if the XSS validation is working properly, set the ‘param-value’ to “NO” in web.xml ‘HatsHeaderSecurityFilter’ section
This feature is not applicable when running the ZIETrans application on a WebSphere Portal Server.
The application server must be restarted for the changes made to XSS policy protection-related settings to be picked up while the application is running on the server.
Users can customize to secure more custom URLs. If a user has added a new servlet, then it has to be configured in web.xml file, as shown below to secure it from an XSS attack.For example:
```
http://localhost:9080/Test/transfer
   <filter-mapping>
			<filter-name>HatsHeaderSecurityFilter</filter-name>
		  <url-pattern>/transfer</url-pattern>
   <filter-mapping>
 
```

Enable automatic field advance

Select this box to specify that when a user completely fills an input field with data, focus automatically advances to the next input field.

For Web applications, you can selectively disable this function for an individual transformation by adding the following lines just after the </ZIETrans:Form> tag in the transformation file. To selectively enable the function specify true instead of false.

<script> 
autoAdvance = false;
</script>

Note:

For DBCS considerations when using this setting see Enable automatic field advance.

Include host and non-host input fields: Select this box to specify that when auto advance is enabled, focus automatically advances to the next input field in the order of the input fields on the transformed screen without regard to the order of the input fields on the host screen.
Clear this box to specify that when auto advance is enabled, focus automatically advances to the next input field in the order of the input fields on the host screen.

Initial cursor position

The position of the host application's cursor normally controls the initial input focus location for your screen transformation. In some limited cases, it might be desirable to have the host application's cursor location ignored, and instead give the initial focus to the first item on the transformation. This is intended for highly-customized transformations where the order of host input fields has been changed. With this feature enabled, the initial focus placement will be the first item on the screen transformation rather than the input field containing the host cursor.

Note:

The Initial cursor position setting does not appear in the GUI as a configurable setting. It must be set in the source of the transformation file.
For Web applications, you can enable this feature for a transformation by adding the following lines just after the </ZIETrans:Form> tag in your transformation:
```
<script> 
initialInputFocusFromCursor = false;
</script>
```
Be certain to test your transformation carefully. Many host applications rely on the cursor position for proper behavior. For example, a macro button placed on a transformation may cause the invoked macro to begin entering data in the wrong location on the host application, since the cursor may be in a different location than expected.

nextFieldForDropDown (Web-only)

Use this setting to specify that the cursor position be moved to the next input field when a selection is made from a drop-down list. The default for new projects created in ZIETrans V7.5.0.2, or later, is true. The default for projects created before ZIETrans V7.5.0.2 is false.

Note:

This setting does not appear in the GUI as a configurable setting. It must be set in the source of the application.hap file as shown below.
```
<class name="com.ibm.hats.common.RuntimeSettings">
         <setting name="nextFieldForDropDown" value="true"/>
</class>
```
This setting is effective only when Enable automatic field advance is selected.

Overwrite mode (initial)

Select this box to initially enable overwrite mode (if it is supported by the browser). If enabled, text entered into an input field overwrites text at the cursor position one character at a time. If not enabled, text entered into an input field is inserted at the cursor position pushing existing text ahead. The user can toggle from this initial setting using the Insert key.

Note:

For DBCS considerations when using this setting see Overwrite mode (initial).

Select all text on focus

Select this box if you want all text in a field to be selected when the field receives focus, which is typical behavior for a Web application. Clear this box if you want no text selected when the field receives focus which is typical behavior for a terminal emulator.

Note:

For Web applications:
- The default is selected.
- This setting does not affect the Overwrite mode (initial) setting behavior.
- This setting is only valid when Internet Explorer is used as the browser for the application.
For DBCS considerations when using this setting, see Select all text on focus.

Enable busy page (Web-only)

Select this box to display a busy-page message when multiple requests are submitted by the user before processing has completed on the initial request. Clear this box if you do not want a busy-page message displayed. If cleared, you cannot submit any more requests until the server returns a response.

Enable transformation refresh(Web-only)

Select this box to refresh only the transformation area, if not enabled it refreshes the entire page.

By default, box will be disabled.