For security reasons, it would be powerful to add custom HTTP headers to each response. Then it is possible to add a header like
Strict-Transport-Security. A list of suggestions by OWASP can be found here: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Best_Practices
Multiple security firms have advised us to add these headers after conducting a security test. As a Mendix developer, you are currently not in control of the headers sent by the webserver, nginx.
I received the following notification from Mendix: a feature has been released in which a lot of headers can now be added:
We have recently added the possibility to add customer headers in Cloud v4. See paragraph 4.2 of https://docs.mendix.com/developerportal/deploy/environments-details#http-headers.
i am in need of this feature as well.
I also need this functionality because our customer wants to receive an A rating on https://securityheaders.com/
@Pieter Oskam: Your screenshot shows that we can add http headers to the http request that will be send to the rest service. We need the ability to add headers to each response.
@Andrej Koelewijn: This java action does not adres the need, since we want to add the headers globally to each response, so also the responses that are created solely by Mendix. Besides that I'm not looking forward to place a java action in every situation where a response will be created.
This feature could for example be implemented in the cloud portal just like the "Prevent embedding your app in an IFrame", which is also a http header.
I need it too. Especially, AWS and other strict security sites recommend us to use X-Content-Type-Options: nosniff
And also, a dynamically changeable header is much better for peer-to-peer network security.
Current plan on the roadmap is to provide a java api to access request and response objects so you access to the http headers. This enables you to create a java action to read or change a headers. Does this address your need?
Thank you for your response; I'm actually referring to the response headers send by the Mendix HTTP server to clients (browsers).
Isn't this already posible? Below is a screenshot from a project made with Mendix 6.10.2.