Has anyone implemented OWASP Headers using the gateway
OWASP Secure Headers Project - OWASP
The available threat protection policies can be utilized ,but do they set any context variable as well which can be utilized for setting the OWASP Secure Headers?
What is the best way to this if i have to say add Content-Security-Policy OWASP Header for API Gateway?
Can someone please help with the above?
We have a fairly small API GW setup right now, but use a Global Policy to return some common secure headers that all endpoints require. For example, HSTS and some others are required for every service.
Just added the Manage Transport Properties to add/replace the response headers with what we want to ensure it's always set to the required value.
Manage Transport Properties/Headers Assertion - CA API Gateway - 9.3 - CA Technologies Documentation
For ones that need additional, or custom headers not in the standard list we use, then we either add it straight into their policy and just return what is needed (such as content-security-policy will often vary depending on the app) or an included policy fragment if there's a common set across multiple services.