Security-related HTTP headers
By default, cloud.gov sets several security-related HTTP headers if your application does not:
X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000
These headers reflect some of the main recommendations of the OWASP Secure Headers Project. Many web application security scanners (commonly implemented to help fulfill RA-5) identify lack of these headers as a potential vulnerability, so cloud.gov sets them by default to support your application’s security and security compliance.
To override any of these headers, you can set them to a different value in your application. To omit the
X-Frame-Options header entirely, you can set its value to
ALLOWALL. Details on the behavior of HTTP headers.