Salesforce B2C Commerce 24.7 > B2C Commerce Security Guide > Security Best Practices for Developers

Declarative Security via HTTP Headers

You can use declarative security controls as a strong line of defense against client browser-based attacks such as clickjacking and offer built-in browser protection against cross-site scripting (XSS). The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application.

The B2C Commerce APIs and the Storefront Reference Architecture (SFRA) provide this capability. You can set HTTP headers on an HTTP response using the addHttpHeader() method on the Response object. If your storefront or cartridge is SFRA-based, you can use the httpHeadersConf.json file to automatically set HTTP response headers on all responses.

Declarative security controls via HTTP headers and other client browser-based protections are used only if the client’s browser supports the feature. Check the B2C Commerce list of support browsers before relying on a header to cover all supported user environments.

Related concepts
Secure Communications
Browser Support
Related tasks
Configure the Enforce HTTPS Global Preference
Configure Storefront URL Preferences
Related information
addHttpHeader()
External Site: httpHeadersConf.json (a Github account is required to access this content)
External Site: OWASP Secure Headers Project

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.