Creating a custom application header
Version:
You can create a custom application header to improve the security of your application to protect it from client-based attacks. However, use caution when using custom application headers because they might interfere with how the application operates. Be sure to test the application after implementing custom application headers.
-
In the navigation panel, click
. -
In the Setting Purpose field, click the Filter icon.
-
In the Search Text field, enter http/responseHeaders and click Apply.
-
Click the instance that contains the name.
-
On the Settings tab, in the Value field, enter the header parameters in the format:{"header name":"header value"}, or for multiple headers, {"header1 name":"header1 value","header2 name":"header2 value"}.
Following are some examples:
{"X-Content-Type-Options":"nosniff"} {"X-XSS-Protection":"1; mode=block"} {"Strict-Transport-Security":"max-age=31536000; includeSubDomains"} {"X-Content-Type-Options":"nosniff", "X-XSS-Protection":"1; mode=block"}
You can add a Content-Security-Policy in a format such as
{"Content-Security-Policy":"default-src 'self'"}
, but best practice is to define content security policies as described in Securing your application with a content security policy.For browsers other than Internet Explorer, do not attempt to set a custom X-Frame-Options response header. The correct security setting to use instead is Content Security Policy. For more information, see Content security policies. If you use both X-Frame-Options and content security policy, be sure to test to verify that the options function as intended. - Optional:
To see an example configuration, click the History tab.
- Using HTTP response headers
To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.
- Testing a custom application header
To determine whether a custom application header has been correctly applied, you need to test it.