SA-14008

Summary

After upgrading from PRPC 6.1 SP1 (with CPM SP1) to Pega 7.1.7, the following cross-site scripting and content sniffing prevention response headers are not set.

• X-XSS-Protection:1;mode=block
• X-Content-Type-Options:no-sniff

Error Messages

Not Applicable

Steps to Reproduce

1. Configure a custom authentication service (WebLDap1) for logging into Pega.
2. Create a custom authentication activity which includes a java step to add the required response headers.
3. Log in using the servlet to which the authentication service is configured.
4. Monitor server response headers using browser developer tools or Fiddler.

Root Cause

In most architectures, Security-related HTTP headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.
​

 

Resolution

Security-related HTTP headers can be set in web server configuration and are not required to include in application. Pega has a Content Security Policy you can use, to restrict the content based on creating own policy.