Question
2
Replies
1983
Views
Capgemini
Posted: 4 years ago
Last activity: 4 years 3 months ago
Want to set X-XSS-Protection: 1 to force XSS protection.
Hi,
Pega version:7.17
As per our requirement we have to set X-XSS-Protection: 1, so that we can force the xss protection. I am not sure how to implement this. The security policy hold one section to set this but unfortunately that part is invisible from the user rule form(Rule-Access-CSP.pzPolicyDefinition) with a visible condition(1==2)
Second way can be from prconfig, if there is any tag, Not sure of the tag name.
Can anyone help me with this?
Thanks,
Saikat
**Updated by moderator: Lochan. Removed user added #helpme tag. Apologies for confusion, shouldn't have been an end-user option.***
Accepted Solution
Posted: 4 years ago
Posted: 4 years ago
Thank you for the recommendation. I will try thi.
Thank you
-Saikat
Hi Saikat,
I don't think there is a prconfig setting to add this header from Pega application code level on Pega 7.1.7.
Instead this header can be set at the web server configuration (Apache, IIS, nginx), without changing actual application's code.
Refer to this article - https://pdn.pega.com/support-articles/unable-set-cross-site-scripting-r…
There is an option of adding custom HTTP response headers on 7.2.1 However, the use of custom application headers is not recommended because they can cause problems with how the application operates.
-Harish