Unable to set cross site scripting response header
After upgrading from PRPC 6.1 SP1 (with CPM SP1) to Pega 7.1.7, the following cross-site scripting and content sniffing prevention response headers are not set.
Steps to Reproduce
1. Configure a custom authentication service (WebLDap1) for logging into Pega.
2. Create a custom authentication activity which includes a java step to add the required response headers.
3. Log in using the servlet to which the authentication service is configured.
4. Monitor server response headers using browser developer tools or Fiddler.
In most architectures, Security-related HTTP headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.