HEADER

The HEADER element defines the request and response type communication carried on the HTTP protocol between Web applications, Web services and the client.

Starting with GAS 3.00 you can set custom HTTP headers for Web applications and Web services. This configuration takes place in the HTTP element of the INTERFACE_TO_CONNECTOR element of the GAS configuration file.

The HEADER element allows you to configure the launching of Web applications and Web services. HTTP headers can be configured for applications using the APPLICATION element and for Web services using the SERVICE element.

Syntax

[<HEADER Name="headerName">value[;...]</HEADER>][...]

Syntax notes

The NAME attribute defines the unique identifier for the HTTP header.
The value is a list of values separated by semi-colons.

Usage example - configure security headers

To set the HTTP security headers that comply with Open Web Application Security Project (OWASP) recommendations, configure the following headers shown highlighted in the example:

The "X-XSS-Protection" header disables the cross-site scripting (XSS) filter built into most web browsers. This is usually enabled by default.
The "X-Content-Type-Options" header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by or unintended downloads.
The "X-Frame-Options" header provides clickjacking protection by not allowing iframes to load on your site.

<INTERFACE_TO_CONNECTOR>
     ...
    <HTTP>
      <SESSION_COOKIE/>
      <APPLICATION>
        <HEADER Name="X-XSS-Protection">1; mode=block</HEADER>
        <HEADER Name="X-Content-Type-Options">nosniff</HEADER>
        <HEADER Name="X-Frame-Options">SAMEORIGIN</HEADER>
      </APPLICATION>
      <SERVICE>
        <HEADER/>
      </SERVICE>
    </HTTP>
  </INTERFACE_TO_CONNECTOR>

Parent elements

This element is a child of the following elements: