Skip to main content

Table of Contents

Using HTTP response headers


Only available versions of this content are shown in the dropdown

To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.

Verify that you test every custom header that you create for your application. In some situations, custom headers can cause problems with how the application operates.

Pega Platform supports the ability to add custom headers. However, it is important to note that Pega Platform only sends these headers on dynamic content requests and not on static content requests.

You might consider adding the following security headers to your application:

  • X-XSS-Protection – Prevents cross-site scripting. Prevents attackers from injecting client-side scripts into the website that is viewed from the user side.
  • Strict-Transport-Security – Allows a website to tell browsers that they should communicate only by using HTTPS, not HTTP.

For browsers other than Internet Explorer, do not attempt to set a custom X-Frame-Options response header. Instead, the correct security setting approach is to use a Content Security Policy. If you use both X-Frame-Options and content security policy, be sure to test in order to verify that the options function as intended.

For more information, see Content security policies.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us