PEGATECH Member since 2011 3 posts
Humana Inc.
Posted: 2 years ago
Last activity: 2 years 5 months ago

Setting Custom Headers XSS issues (6.1SP2)

I have a need to set custom response headers to address XSS vulnerabilities discivered in recent app scan.

I understand that in 7.XX we can take use of DSS to set custom response header. However, in 6.1 sp2 there is nothing that enables us to do so.

I have tried modifying the status.jsp to set the header but that does not work either

e.g status.jsp-->response.addHeader("X-XSS Protection Header", "1");

I am going to see if we can make changed to LB monitor but I am not sure that would work.

on an Native platform, e.g, if .Net app then you can set it through IIS manager but WAS does not provide anything.

I am going to open an SR tomorrow but wondering if peers have come across the same and have found a solution.

Below is what we need.

X-Content Type-Options
X-XSS Protection Header
X-XSS Protection Policy

System Administration Security
Moderation Team has archived post
Share this page LinkedIn