HTTP response headers

To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.

Make sure that you test every custom header that you create for your application. In some situations, custom headers can cause problems with how the application operates.

The Pega Platform supports the ability to add custom headers. You might consider adding the following security headers to your application:

  • X-Frame-Options - Avoids clickjacking attacks. Allows or disallows a browser to render a page in a frame, iframe, or object.
  • X-XSS-Protection - Prevents cross-site scripting. Prevents attackers from injecting client-side scripts into the website that is viewed from the user side.
  • HTTP Strict-Transport-Security - Allows a website to tell browsers that they should communicate only by using HTTPS, not HTTP.
  • Content-Security-Policy – Controls the resources that the user agent can load for the website.