02-Mar-2023 10:17
Hi there,
We are needing to turn on security headers for ASM response and blocking pages. There is a KB (K25232031 ) that mentions it being enabled by default for version 16.0.0.
We are running a prior version. Does anyone know if this is possible on earlier versions?
02-Mar-2023 11:30 - edited 02-Mar-2023 11:32
Hi,
You can add response headers from the "Response and Blocking Pages" settings.
Security > Application Security > Security Policies > Policies List > waf_policy_name > Response and Blocking Pages > Custom Response
03-Mar-2023 01:23 - edited 03-Mar-2023 01:26
K25232031 is interesting, thanks for the link.
About X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
About X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Adding a simple Content-Security-Policy will be the better way. I do not tested it, but this shoud suffice:
Content-Security-Policy: default-src 'self'; frame-ancestors 'self'
P.S.: I always change the Response Code to 403