Dear Team

How do we configure missing HTTP Header on TWAS 9.0.5.x

The headers should be set as follows
- Set the X-XSS header as follows: X-XSS-Protection: 1;mode=block
This enables the filter and instructs the browser to block the entire page if an XSS attack is detected. This is more secure than just 1.

MISCONFIGURED SECURITY HEADERS
The web application does not have the security headers set correctly:
- Cross Site Scripting Protection (X-XSS): This protects against Cross-Site Scripting attacks sniffing.
X-XSS-Protection: 1; This enables the browser's XSS filter but does not block the page if an attack is detected.

Thanks

------------------------------
Adeoye Omoboya
------------------------------

Hello Adeoye,

what does your environment look like? Do you have an Apache and/or HTTP Server before your tWAS deployment? If yes you could use the mod_headers (https://httpd.apache.org/docs/current/mod/mod_headers.html) module to set response headers if needed.

Hope this helps. 

------------------------------
Hermann Huebler
Cloud Architect
Alpium IT Solutions GmbH
Vienna
Austria

#IBMChampion
------------------------------

Original Message:
Sent: Mon December 08, 2025 04:07 AM
From: Adeoye Omoboya
Subject: MISCONFIGURED SECURITY HEADERS

Dear Team

How do we configure missing HTTP Header on TWAS 9.0.5.x

The headers should be set as follows
- Set the X-XSS header as follows: X-XSS-Protection: 1;mode=block
This enables the filter and instructs the browser to block the entire page if an XSS attack is detected. This is more secure than just 1.

MISCONFIGURED SECURITY HEADERS
The web application does not have the security headers set correctly:
- Cross Site Scripting Protection (X-XSS): This protects against Cross-Site Scripting attacks sniffing.
X-XSS-Protection: 1; This enables the browser's XSS filter but does not block the page if an attack is detected.

Thanks

------------------------------
Adeoye Omoboya
------------------------------