n OutSystems, it's possible to customize the web.config of an application to include custom headers using the Factory Configuration application. To accomplish this, here's what you'll need to do:

1. Install Factory Configuration app from the Forge;

2. Navigate to Factory Configuration > Shared Configurations > Create New Shared Configuration;

3. Insert the following content in the form of the Shared Configuration:

   • Name: A name that you find appropriate and indicates what the setting does, e.g., 'Security Headers'

   • Kind: Select 'web.config_XSL' from the dropdown.

   • Value: The XSL template that finds the element /configuration/system.webServer/httpProtocol/customHeaders and adds to it a new add element.

     <?xml version="1.0" encoding="UTF-8"?>
     <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
     
         <xsl:output method="xml" indent="yes" encoding="UTF-8"/> 
     
         <xsl:template match="@*|node()">
             <xsl:copy>
                 <xsl:apply-templates select="@*|node()"/>
             </xsl:copy>
         </xsl:template>
      
         <xsl:template match="/configuration/system.webServer/httpProtocol/customHeaders">
             <xsl:copy>
                 <xsl:apply-templates select="@*|node()"/>
                 <add name="X-Frame-Options" value="SAMEORIGIN" />
                 <add name="X-XSS-Protection" value="1; mode=block" />
             </xsl:copy>
         </xsl:template>
     
     </xsl:stylesheet>

4. After creating the template, we need to associate it to the eSpace(s). To do this, one has to: 

   • Navigate to Factory Configurations > eSpaces;

   • Select the eSpace(s) that that requires having this setting;

   • In the eSpace page, select the Shared Configuration created in step 3 from the dropdown and click the Associate button.

   • Apply settings to the mentioned eSpace(s) for the configuration to be effective. You can do this by adding the necessary eSpace(s) to a Solution and publishing it.