To protect against Clickjacking, any page that contains forms which require a user to enter sensitive information, Veracode recommends using the X-Frame-Options header set to either DENY or SAMEORIGIN. Currently this value is set at a CSP level or in DSS (as a custom header) that applies to whole application and not set page by page.
We would like to know if the above recommendation from Veracode can be implemented and if not, why and whether anything can be done to compensate.
Hello @NadeemM8116 ,
Thank you for posting your question here.
While it is feasible to have a custom header ‘X-Frame-Options’ for your Pega application, Pega recommends that you use the frame-ancestors directive from the content-security-policy instead of that request header, as both work the same way.
While generating the HTTP response, Pega adds the custom headers to all the XHR requests or any other requests that contain sensitive information. If your application uses a CSP, then you might find this header in the response for all the XHR requests and not for JS or CSS calls, as they do not have any sensitive information.
For more information on how to set the custom header and CSP please go through the below articles.
I hope this answers your question.