Custom headers

You can apply custom headers (for example, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy) in addition to the response headers that are sent by PI Web API (or use them to override the value of headers set by PI Web API). These custom headers are applied to all responses, including 400- and 500- range status codes. Note that some headers, such as Content-Length, are reserved due to the HTTP specification.

When a header cannot be attached to a response, due to it being reserved or the header being incorrectly formed, the event log contains an event stating the reason for the failure. When this occurs, the response is still sent, but without the custom header that could not be set. If multiple custom headers are specified and one fails, the others are still set.

CustomHeadersEnabled and CustomHeaders

First, set the CustomHeadersEnabled configuration item in PI System Explorer with a Value Type of Boolean and a value of true. Next, create a CustomHeaders attribute with a Value Type of String Array.

Observe the following syntax rules:

• Each entry in the array is a new custom header

• Each entry must consist only of ASCII characters

• Each entry in the array must be of the form HeaderName: HeaderValue

  Note: A space after the colon is required.

  • HeaderName cannot contain any of the following characters:

    ( ) , / : ; < = > ? @\ { } "

  • HeaderName cannot be a reserved header name. PI Web API does not control the circumstances by which a header name is reserved, since it depends on both the application state and the HTTP specification.

For example:

X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Content-Security-Policy: block-all-mixed-content; default-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.uservoice.com; frame-ancestors 'self'; object-src 'none'; img-src 'self' data: