Skip to main content

Security Headers

The X-Frame-Options header cannot be set for CxSAST. Instead, the following security headers can be used:

  • Content-Security-Policy – can be set, for example to: Content-Security-Policy: default-src 'self'

    This header is not a 100% replacement for X-Frame-Options header, but it allows additional security.

  • Strict Transport Security (HSTS) – can be set to: Strict-Transport-Security: max-age=31536000 ; includeSubDomains

    For instructions about setting up a HSTS header, see Enabling SSL Support on the CxManager.

  • X-Content-Type-Options – can be set to: X-Content-Type-Options: nosniff

    The Secure Cookie Attribute for all cookies is relevant for cases when both HTTP and HTTPS are used or mixed together for the same site, which is not the case with CxSAST.

To allow maximum flexibility for different customers and deployments types, other headers can be set explicitly.