Configure the HTTP response headers
The following settings configure the HTTP response header settings to add security that controls what a browser renders on a page:
- Content-Security-Policy
Modifies where the application can load resources from. The value of this setting is merged with the value set by the system and added as a header to all page responses. The system value also includes the hostname of the reporting server and some other settings required by the application.
The setting uses the Content Security Policy syntax. For more information, see Content Security Policy.
Example value:
default-src myserver.com:100 - X-Frame-Options
Controls where a page can get source to render in a frame. This header is added to all page responses. The value here overrides the default, which is
SAMEORIGIN.Example value:
DENY - X-Content-Type-Options
Prevents the browser from trying to determine the content-type of a resource that is different than the declared content-type. This header is added to all page responses. To override the default, enter an invalid string, for example, a space character.
Default:
nosniff - X-XSS-Protection
Enables X-XSS-Protection header on server responses. If X-XSS-Protection is set to true, the X-XSS-Protection header is set to
1; mode=block. For more information, see Security cross-site scripting filter settings.Default:
false