Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Unable to set cross site scripting response header



After upgrading from PRPC 6.1 SP1 (with CPM SP1) to Pega 7.1.7, the following cross-site scripting and content sniffing prevention response headers are not set.
  • X-XSS-Protection:1;mode=block
  • X-Content-Type-Options:no-sniff

Error Messages

Not Applicable

Steps to Reproduce

1. Configure a custom authentication service (WebLDap1) for logging into Pega.
2. Create a custom authentication activity which includes a java step to add the required response headers.
3. Log in using the servlet to which the authentication service is configured.
4. Monitor server response headers using browser developer tools or Fiddler.

Root Cause

In most architectures, Security-related HTTP headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.



Security-related HTTP headers can be set in web server configuration and are not required to include in application. Pega has a Content Security Policy you can use, to restrict the content based on creating own policy.
Suggest Edit

Published September 4, 2015 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us