I know that we are able to send custom headers with the front end and setting them using the Ssoconfig tool. However, I tried to set the Cache-Control: no-store in the custom header but it doesn't get set. When I log in the Cache-Control is:
Cache-Control: private, no-store, no-cache, must-revalidate
Our security group wants it to be:
Cache-Control: private, no-store
Where would this get set (if possible) and what impact will it have on the server if the end user's browser is not caching anything.
DX NetOps Performance Management
20.2.9/10 is limited in what pages we are setting Custom Headers for. We are only be setting the one for iframe disablement in SSO JSPs.
Upgrade to NetOps 21.2.1 whenever it's released. It will come with a default set of custom headers OOTB and apply to more pages.
The new feature and how to manage it is documented on the r21.2 Manage Custom HTTP Headers page.
NOTE: will require upgrading PM/Spectrum/NFA/VNA all within the same maint window as they are changes in the products requiring AUTH where there used to not be.
21.2.1 is different, we've made serious changes to make sure most JSPs and other pages use Custom Header values. We now will send those to DA and DA will be setting them also.
What custom HTTP Header options are supported to change?
Engineering reviewed the locations in code where we're using those as hard coded values.
To allow a change to those hard coded values would be an Enhancement Request.
The default value we set OOTB for Custom.Headers is what we highly suggest to pass security scans. The default value is visible via the SsoConfig tool (1.DX NetOps->3.Performance Center->Value seen for "Custom HTTP headers to be added to our responses:". A r21.2.6 lab shows this as the OOTB value.