You can create a custom application header to improve the security of your application to protect it from client-based attacks. However, use caution when using custom application headers because they might interfere with how the application operates. Be sure to test the application after implementing custom application headers.
-
In the navigation panel, click .
-
In the Setting Purpose field, click the
Filter icon.
-
In the Search Text field, enter
http/responseHeaders and click
Apply.
-
Click the instance that contains the name.
-
On the Settings tab, in the Value field,
enter the header parameters in the format:{"header name":"header
value"}, or for multiple headers, {"header1 name":"header1
value","header2 name":"header2 value"}.
Following are some examples:
{"X-Content-Type-Options":"nosniff"}
{"X-XSS-Protection":"1; mode=block"}
{"Strict-Transport-Security":"max-age=31536000; includeSubDomains"}
{"X-Content-Type-Options":"nosniff", "X-XSS-Protection":"1; mode=block"}
You can add a Content-Security-Policy in a format such as
{"Content-Security-Policy":"default-src 'self'"}, but best practice
is to define content security policies as described in Securing your application with a content security policy.
Note: For browsers other than Internet Explorer, do not attempt to set a custom
X-Frame-Options response header. The correct security setting to use instead is Content
Security Policy. For more information, see
Content security policies.
If you use both X-Frame-Options and content security policy, be sure to test to verify
that the options function as intended.
- Optional:
To see an example configuration, click the History tab.