Adding httpheaders on web app

Hi, I’m testing the security of my web app, I use the zap tool to acomplish the OWASP standard, and as a result I receive some warnings, to resolve this warnings I need to add some httpheaders to the app, but I cant find any info on the documentation, all I found is about htmlheaders, someone know how to do that?.

These is a warning example:
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser’s XSS protection mechanism. The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The following values would disable it:
X-XSS-Protection: 0
The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).
Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Thanks in advance

You can’t add your own headers at this time for standalone apps. For cgi, you would need to configure your web server to add them for you.

Thank’s Greg, my web app it’s standalone, I have a problem, I need to pass this security tests, maybe with a reverse proxy or something like that, I will continue looking for a workaround.

Thanks again

Fwiw, if your app is exposed to the internet, you should have it behind a load balancer or reverse proxy anyway.

Try HAProxy. Works great.
There is a tutorial by John Joyce here somewhere :slight_smile: