Issue

After configuring the X-XSS-Protection HTTP header in the Mendix Portal, duplicate X-XSS-Protection entries appear in the HTTP response. The response includes both the value configured in the Mendix Portal and a second value added by the platform.

Environment

Applications hosted in Mendix Dedicated Cloud

Cause

Applications hosted in Siemens Dedicated Cloud have mandatory security HTTP Headers enforced at the platform level. These headers are always added to all responses, including REST API responses, regardless of the values configured in Mendix Portal.

The enforced headers include:

Referrer-Policy "no-referrer" always;
X-Content-Type-Options "nosniff" always;
X-Permitted-Cross-Domain-Policies "none" always;
X-XSS-Protection "1; mode=block" always;
Strict-Transport-Security "max-age=31536000" always;

When a different value for X-XSS-Protection is configured in Mendix Portal, both the platform-enforced header and the custom header are included in the response, which results in duplicated header entries.

Solution / Workaround

Platform-enforced security headers in Siemens Dedicated Cloud are always included in all responses and cannot be customized. Any custom values for these headers in the Mendix Portal will result in duplicates. To implement different header behavior, create and use custom headers that do not conflict with the platform-enforced headers.  

Additional information

Mendix documentation:

• HTTP Headers

• HttpRequest and HttpResponse System Entities