Question

2
Replies
2035
Views
 Saikat Chakrabortty (Saikat_Chakrabortty)
Capgemini
Pega Developer
Capgemini
IN
Saikat_Chakrabortty Member since 2013 34 posts
Capgemini
Posted: July 18, 2016
Last activity: March 8, 2017
Posted: 18 Jul 2016 10:39 EDT
Last activity: 8 Mar 2017 4:04 EST
Closed
Solved

Want to set X-XSS-Protection: 1 to force XSS protection.

Hi,

Pega version:7.17

As per our requirement we have to set X-XSS-Protection: 1, so that we can force the xss protection. I am not sure how to implement this. The security policy hold one section to set this but unfortunately that part is invisible from the user rule form(Rule-Access-CSP.pzPolicyDefinition) with a visible condition(1==2)

Second way can be from prconfig, if there is any tag, Not sure of the tag name.

Can anyone help me with this?

Thanks,

Saikat

**Updated by moderator: Lochan. Removed user added #helpme tag. Apologies for confusion, shouldn't have been an end-user option.***

Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.

Accepted Solution

Posted: 4 years ago
Posted: 18 Jul 2016 10:56 EDT
Harish Gunneri (Harish_GCS)
PEGA
Senior Software Solutions Engineer
Pegasystems Inc.
US

Hi Saikat,


I don't think there is a prconfig setting to add this header from Pega application code level on Pega 7.1.7.


Instead this header can be set at the web server configuration (Apache, IIS, nginx), without changing actual application's code. 


Refer to this article - https://pdn.pega.com/support-articles/unable-set-cross-site-scripting-response-header


There is an option of adding custom HTTP response headers on 7.2.1  However, the use of custom application headers is not recommended because they can cause problems with how the application operates.


-Harish