Setting Custom Headers XSS issues (6.1SP2)
I have a need to set custom response headers to address XSS vulnerabilities discivered in recent app scan.
I understand that in 7.XX we can take use of DSS to set custom response header. However, in 6.1 sp2 there is nothing that enables us to do so.
I have tried modifying the status.jsp to set the header but that does not work either
e.g status.jsp-->response.addHeader("X-XSS Protection Header", "1");
I am going to see if we can make changed to LB monitor but I am not sure that would work.
on an Native platform, e.g, if .Net app then you can set it through IIS manager but WAS does not provide anything.
I am going to open an SR tomorrow but wondering if peers have come across the same and have found a solution.
Below is what we need.
Content-Security-Policy
X-Content Type-Options
X-XSS Protection Header
x-Frame-Options
X-XSS Protection Policy