[Factory Configuration] How to - Setup the web.config file to send HTTP Security Headers to your App
Web icon
Forge component by Platform Maintenance

n OutSystems, it's possible to customize the web.config of an application to include custom headers using the Factory Configuration application. To accomplish this, here's what you'll need to do:

  1. Install Factory Configuration app from the Forge;

  2. Navigate to Factory Configuration > Shared Configurations > Create New Shared Configuration;

  3. Insert the following content in the form of the Shared Configuration:

    • Name: A name that you find appropriate and indicates what the setting does, e.g., 'Security Headers'

    • Kind: Select 'web.config_XSL' from the dropdown.

    • Value: The XSL template that finds the element /configuration/system.webServer/httpProtocol/customHeaders and adds to it a new add element.

      <?xml version="1.0" encoding="UTF-8"?>
      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
          <xsl:output method="xml" indent="yes" encoding="UTF-8"/> 
          <xsl:template match="@*|node()">
                  <xsl:apply-templates select="@*|node()"/>
          <xsl:template match="/configuration/system.webServer/httpProtocol/customHeaders">
                  <xsl:apply-templates select="@*|node()"/>
                  <add name="X-Frame-Options" value="SAMEORIGIN" />
                  <add name="X-XSS-Protection" value="1; mode=block" />
  4. After creating the template, we need to associate it to the eSpace(s). To do this, one has to: 

    • Navigate to Factory Configurations > eSpaces;

    • Select the eSpace(s) that that requires having this setting;

    • In the eSpace page, select the Shared Configuration created in step 3 from the dropdown and click the Associate button.

    • Apply settings to the mentioned eSpace(s) for the configuration to be effective. You can do this by adding the necessary eSpace(s) to a Solution and publishing it.

2019-05-21 14-46-00
Adriano Ramos

Example of a referrer-policy header:

<add name="Referrer-Policy" value="no-referrer" />
2019-05-21 14-46-00
Adriano Ramos

Examples of disabling cache:

<add name="Cache-Control" value="no-store" />
<add name="Cache-Control" value="no-cache" />
<add name="Pragma" value="no-cache" />
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.