Using HTTP response headers

Make sure that you test every custom header that you create for your application. In some situations, custom headers can cause problems with how the application operates.

Pega Platform supports the ability to add custom headers. You might consider adding the following security headers to your application:

• X-XSS-Protection – Prevents cross-site scripting. Prevents attackers from injecting client-side scripts into the website that is viewed from the user side.
• Strict-Transport-Security – Allows a website to tell browsers that they should communicate only by using HTTPS, not HTTP.
• Content-Security-Policy – Controls the resources that the user agent can load for the website.

For browsers other than Internet Explorer, do not attempt to set a custom X-Frame-Options response header. The correct security setting to use instead is Content Security Policy. For more information, see Content security policies. If you use both X-Frame-Options and content security policy, be sure to test to verify that the options function as intended.