I'm running Hybris 6.3 and trying to add the following HTTP response headers globally:
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
In the storefront project, I added the following to spring-security-config.xml:
<security:headers>
<security:frame-options policy="DENY" />
<security:hsts include-subdomains="true" max-age-seconds="31536000" />
<security:xss-protection block="true" />
<security:content-security-policy policy-directives="default-src 'self'" />
</security:headers>
When I look at the headers in Chrome, I only see that it added the X-Frame-Options header and not the others.
Has anyone seen this behavior before?