Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Creating a custom HTTP response header

Updated on June 30, 2021

You can create a custom application header to improve the security of your application to protect it from client-based attacks. However, use caution when using custom application headers because they might interfere with how the application operates. Be sure to test the application after implementing custom application headers.

  1. In the navigation panel, click RecordsSysAdminDynamic System Settings.
  2. In the Setting Purpose field, click the Filter icon.
  3. In the Search Text field, enter http/responseHeaders and click Apply.
  4. Click the instance that contains the name.
  5. On the Settings tab, in the Value field, enter the header parameters in the format:{"header name":"header value"}, or for multiple headers, {"header1 name":"header1 value","header2 name":"header2 value"}.

    Following are some examples:

    {"X-Content-Type-Options":"nosniff"}
    {"X-XSS-Protection":"1; mode=block"}
    {"Strict-Transport-Security":"max-age=31536000; includeSubDomains"}
    {"X-Content-Type-Options":"nosniff", "X-XSS-Protection":"1; mode=block"}
    

    You can add a Content-Security-Policy in a format such as {"Content-Security-Policy":"default-src 'self'"}, but best practice is to define content security policies as described in Securing your application with a content security policy.

    Note: For browsers other than Internet Explorer, do not attempt to set a custom X-Frame-Options response header. The correct security setting to use instead is Content Security Policy. For more information, see Content security policies. If you use both X-Frame-Options and content security policy, be sure to test to verify that the options function as intended.
  6. Optional: To see an example configuration, click the History tab.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us