Security Headers in a Web Application

Targets Web
1

We had a PEN test done on one of our web applications and an issue that was raised was that the application did not return any security headers when supplying a page to the browser. Some examples that they recommended are:

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block

Looking at the documentation, I can’t see how I can include these and other headers.

How do I go about setting additional response headers to the browser from my web application?

Thanks in advance.

1 Like
2

This is 2019r3. Anyone?

3

You can edit the HTMLheader property in the app-object, maybe this helps you?

4

For ALL sessions set App.HTMLHeader:

<meta http-equiv="Strict-Transport-Security" content="max-age=31536000; includeSubDomains">
<meta http-equiv="X-XSS-Protection" content="1; mode=block">

For per-session (changing) values:
In Session.PreparingSession you set the HTMLHeader value to contain:

<meta http-equiv="Strict-Transport-Security" content="max-age=31536000; includeSubDomains">
<meta http-equiv="X-XSS-Protection" content="1; mode=block">
5

Thanks very much! I’ll give that a go

1 Like
6

Unfortunately this doesn’t actually set the response headers and only simulates a very limited number of headers.

7

Browsers read the values, it won’t change the response headers but browsers handle it like this.

8

If you finally reach a dead end solving this using the framework (this happens all the time with any kind of web framework), you can add, edit or remove the headers directly from the web server (Apache / Nginx).

1 Like
9

It would be the least we can ask to be able to set headers. I cant’t find the way to do this from Session. Maybe @Greg_O_Lone can tell us how we can do this?