Configuring Custom HTTP Headers
Pulse Policy Secure (PPS) supports several HTTP headers, which are sent in response to the client request. There are several more headers built to improve security and prevent attacks like XSS. The Custom HTTP Headers configuration enables the administrator to add new headers that they want to enforce.
To configure custom HTTP header:
1.Select System > Configuration > Security > Advanced.
2.In the Custom HTTP Headers section, enter the HTTP header name and the directives along with the values.
3.Click Add.
4.Multiple headers can be added or removed. After adding the headers, click Save Changes.
- Administrator should ensure the correctness of the values that they enter, as the system validation on the input values is limited
- If the administrator configured HTTP header seems to affect the way the page is rendered or is locked out, use the console option to reset the custom HTTP header values.
The following table lists the OWASP recommended headers.
|
Header |
Need PPS Web Server Changes |
Supported Browsers |
|
HPKP |
Yes |
Firefox, Chrome, Opera |
|
X-XSS-Protection |
No |
Chrome and IE |
|
X-Content-Type-Options |
No |
Firefox, Chrome, Opera and IE |
|
Content-Security-Policy |
Yes |
All major browsers |
|
X-Permitted-Cross-Domain-Policies |
Yes |
Not supported |
|
Referrer-Policy |
No |
Chrome, Firefox and Opera |
|
Expect-CT |
No |
Chrome and Opera |
|
Feature-Policy |
No |
Not supported |
|
HSTS |
No |
|
|
X-Frame-Options |
No |
|