Question

3
Replies
204
Views
Yogesh Yadav (PEGATECH)
Humana Inc.

Humana Inc.
US
PEGATECH Member since 2011 3 posts
Humana Inc.
Posted: February 11, 2018
Last activity: May 8, 2018
Posted: 11 Feb 2018 23:52 EST
Last activity: 8 May 2018 17:26 EDT
Closed

Setting Custom Headers XSS issues (6.1SP2)

I have a need to set custom response headers to address XSS vulnerabilities discivered in recent app scan.

I understand that in 7.XX we can take use of DSS to set custom response header. However, in 6.1 sp2 there is nothing that enables us to do so.

I have tried modifying the status.jsp to set the header but that does not work either

e.g status.jsp-->response.addHeader("X-XSS Protection Header", "1");

I am going to see if we can make changed to LB monitor but I am not sure that would work.

on an Native platform, e.g, if .Net app then you can set it through IIS manager but WAS does not provide anything.

I am going to open an SR tomorrow but wondering if peers have come across the same and have found a solution.

Below is what we need.

Content-Security-Policy
X-Content Type-Options
X-XSS Protection Header
x-Frame-Options
X-XSS Protection Policy

System Administration Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.