Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Why certain Security Headers are not included in the HTTP Request and Response of Liferay DXP

Written By

Prarthana Jadhav

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • The following headers are missing in Liferay:
    1. Missing ”X-Content-Type-Options” header 
    2. Missing ”X-XSS Protection” header 
    3. Missing ”X-Frame-Options” header
    4. Missing ”Content-Security-Policy” header
    5. Missing ”Strict-Transport-Security” header 
    6. Missing cross-origin resource sharing(CORS) 
    7. Missing ”Public-Key-Pins” header 

Environment

  • Liferay DXP 7.0-7.3

Resolution

  •  The following headers are available by default when inspected any of the requests.
    1. "X-Content-Type-Options" header
    2. "X-XSSProtection" header
    3. "X-Frame-Options" headers Screenshot_from_2020-01-28_17-22-27.png
  • For the rest of the headers:
    1. "Content-Security-Policy" header: Liferay Portal doesn't directly support CSP in the sense that there's no configuration / UI for setting CSP directives. However, the CSP directives can be added on your own (eg, via your web server, theme). The Content Security Policy (CSP) article might help to achieve this.
    2. "Strict-Transport-Security" header: This configuration should be performed on Application Server like Tomcat (and not on Liferay) side.  Enabling HTTP Strict Transport Security (HSTS) article may help to achieve this.
    3. "Cross-origin resource sharing (CORS)"header: The Cross-Origin Resource Sharing is not managed by any Liferay configuration. The below articles have some helpful information and examples of web server configurations that can be used to enable CORS.
    4. "Public-Key-Pins" header: This configuration should be performed at web server. This article: HTTP Public Key Pinning (HPKP) might help in enabling the Public-key-pins. 

Additional Information

Please Note: The above hyperlinked articles are unofficial articles that are shared to basic information.  Your use of those articles is completely at your discretion.

The headers described from 4 to 7 should be configured either at the application server or at the web server and both the platforms fall beyond the scope of Liferay Support.

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?