Question
2
Replies
2001
Views
Capgemini
Posted: July 18, 2016
Last activity: March 8, 2017
Closed
Solved
Want to set X-XSS-Protection: 1 to force XSS protection.
Hi,
Pega version:7.17
As per our requirement we have to set X-XSS-Protection: 1, so that we can force the xss protection. I am not sure how to implement this. The security policy hold one section to set this but unfortunately that part is invisible from the user rule form(Rule-Access-CSP.pzPolicyDefinition) with a visible condition(1==2)
Second way can be from prconfig, if there is any tag, Not sure of the tag name.
Can anyone help me with this?
Thanks,
Saikat
**Updated by moderator: Lochan. Removed user added #helpme tag. Apologies for confusion, shouldn't have been an end-user option.***
Hi Saikat,
I don't think there is a prconfig setting to add this header from Pega application code level on Pega 7.1.7.
Instead this header can be set at the web server configuration (Apache, IIS, nginx), without changing actual application's code.
Refer to this article - https://pdn.pega.com/support-articles/unable-set-cross-site-scripting-response-header
There is an option of adding custom HTTP response headers on 7.2.1 However, the use of custom application headers is not recommended because they can cause problems with how the application operates.
-Harish