https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267804#M4595403 <P>Hello,</P><P>SAP Note <A href="https://launchpad.support.sap.com/#/notes/2860209" target="_blank">2860209</A> enables the X-Xss-protection header for WEBGUI (Handler CL_HTTP_EXT_ITS_2, used in new releases).</P><P>Regards,</P><P>Cris</P> Wed, 26 Aug 2020 22:34:27 GMT cris_hansen 2020-08-26T22:34:27Z https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaq-p/12267801 <P>Hi,</P> <P>"HTTP Security Header Not Detected" is one of many security vulnerabilities from third party network scan. As per the solution provided, I need to set proper X frame option, X-Xss-protection, X-content-type-option and strict-transport-security. Our env consists of Fiori and ECC system. Any idea where to set these settings to fix this vulnerability? </P> <P>Thanks</P> Tue, 25 Aug 2020 16:27:23 GMT https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaq-p/12267801 Former Member 2020-08-25T16:27:23Z https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267802#M4595401 <P>Hello,</P><P>Check SAP Note <A href="https://launchpad.support.sap.com/#/notes/2202116" target="_blank">2202116</A> - Support of HTTP Strict Transport Security.</P><P>If you share the SAP_BASIS version and SP level, then I can see about the other headers.</P><P>Regards,</P><P>Cris</P> Tue, 25 Aug 2020 16:45:19 GMT https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267802#M4595401 cris_hansen 2020-08-25T16:45:19Z https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267803#M4595402 <P>Thanks. I will check the note.</P><P>SAP_BASIS is on 740 Sp16</P> Tue, 25 Aug 2020 17:11:39 GMT https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267803#M4595402 former_member706793 2020-08-25T17:11:39Z https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267804#M4595403 <P>Hello,</P><P>SAP Note <A href="https://launchpad.support.sap.com/#/notes/2860209" target="_blank">2860209</A> enables the X-Xss-protection header for WEBGUI (Handler CL_HTTP_EXT_ITS_2, used in new releases).</P><P>Regards,</P><P>Cris</P> Wed, 26 Aug 2020 22:34:27 GMT https://community.sap.com/t5/technology-q-a/http-security-header-not-detected/qaa-p/12267804#M4595403 cris_hansen 2020-08-26T22:34:27Z