HTTP Security Header Issue
Application Type
Traditional Web
Platform Version
11.9.0 (Build 17011)


We have a HTTP Security Header issue is detected by Security scan for go-live about  

- HTTP Header Information Disclosure 

- Missing 'Expect-CT' Header 

- Missing 'X-Frame-Options' Header 

- Missing 'X-XSS-Protection' Header 

- Missing Content Security Policy 

Could you please suggest how to config to solve this problem?

Thank you for your help.

Best Regards,


If you are on-premises you can remove/add headers yourself, refer to those articles:
Remove Unwanted HTTP Response Headers
How to Implement Security HTTP Headers to Prevent Vulnerabilities

If you are on cloud, you will have to open a support ticket to OS. 

Some of the headers, i.e. CSP, can be enabled from LifeTime security settings.

Hi Paticorn,

On the Self-managed (on-premise) environment, one should be able to manage most of them. 

Apart of them checkout how to use/configure the Content Security Policy, against code injection attacks in applications, irrespective of the environment and infrastructure. CSP is configured using directives that are sent to browsers in HTTP headers.  Learn about it at Apply Content Security Policy

Additionally, in terms of Information Disclosure and other vulnerabilities, checkout the OutSystems' stand at  Vulnerabilities page.



Also, have a look at this post Removing IIS Response Header

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.