Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Using HTTP response headers

Updated on July 1, 2021

To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.

Make sure that you test every custom header that you create for your application. In some situations, custom headers can cause problems with how the application operates.

Pega Platform supports the ability to add custom headers. However, it is important to note that Pega Platform only sends these headers on dynamic content requests and not on static content requests.

You might consider adding the following security headers to your application:

  • X-XSS-Protection – Prevents cross-site scripting. Prevents attackers from injecting client-side scripts into the website that is viewed from the user side.
  • Strict-Transport-Security – Allows a website to tell browsers that they should communicate only by using HTTPS, not HTTP.
  • Content-Security-Policy – Controls the resources that the user agent can load for the website.

For browsers other than Internet Explorer, do not attempt to set a custom X-Frame-Options response header. Instead, the correct security setting approach is to use a Content Security Policy. If you use both X-Frame-Options and content security policy, be sure to test in order to verify that the options function as intended.

For more information, see Content security policies.

  • Creating a custom application header

    You can create a custom application header to improve the security of your application to protect it from client-based attacks. However, use caution when using custom application headers because they might interfere with how the application operates. Be sure to test the application after implementing custom application headers.

  • Testing a custom application header

    To determine whether a custom application header has been correctly applied, you need to test it.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us