No Results
HTTP Security Headers

HTTP Security Headers

This article discusses the security headers used to control whether and how edgeCore is rendered within the browser, providing protection against ClickJacking and Cross-Site-Scripting attacks.

X-Frame Options Header

edgeCore by default configures the X-Frame Options so that pages are rendered within the browser as long as they are from the ‘SAMEORIGIN’. In some instances where edgeCore is behind a proxy (like NGINX), or we have another customer application that frames edgeCore, you must add the following line to [INSTALL_HOME]/conf/ to override the default behavior.


When running behind NGINX, you may also need to override the default allowFrom configuration of /edgeweb content. By default, it’s set to ‘SAMEORIGIN’. If it needs to be set to the value configured in ‘security.allowFrom’, you must add the following line to [INSTALL_HOME]/conf/ to override the default behavior.


Additional information is available on this link.

Content Security Policy (CSP) Header

edgeCore allows the additional configuration of the CSP Header used to control the frame-ancestors directive specifying the valid parents that are allowed to embed the page using frames. This is subject to browser support (refer to the link below for browser support information).
To configure the CSP Header override, you can specify the following line in [INSTALL_HOME]/conf/


If the above configuration is enabled, only pages from the subdomain over HTTP would be able to contain edgeCore.
Additional information is available on this link.

X-XSS-Protection Header

edgeCore configures this header to assist in XSS protection. While this behavior is typically enabled by default, this header ensures it is enabled and tells the browser what to do when an XSS attack is detected. This configuration is set to block the content if it is detected.

X-XSS-Protection: 1; mode=block


Terms | Privacy