---
title: Configuring Policy Editor security headers
description: Use an options file to configure the Policy Editor.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_config_pe_security_hdrs
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_config_pe_security_hdrs.html
revdate: May 23, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring Policy Editor security headers

Use an options file to configure the Policy Editor.

## About this task

You can configure the Policy Editor to add certain security headers to responses for calls to the UI resources in the options file's `securityHeaders` section. Supported headers include X-Frame-Options, Content-Security-Policy, and Access-Control-Allow-Origin. By default, X-Frame-Options will be set to `deny` and the other headers will remain unset.

## Steps

1. Make a copy of the default options file.

   ```shell
   $ cp config/options.yml my-options.yml
   ```

2. To configure Policy Editor security headers, edit the `securityHeaders` section of the new options file.

   The file contains commented out examples of different security headers.

   1. Duplicate the desired security header, uncomment, and modify its value according to your deployment.

      |   |                                                                                                                                                            |
      | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | The use of indentation in the `options.yml` file is important. When removing comment hashes, ensure that you retain valid YAML file indentation structure. |

      The following example illustrates the X-Frame-Options header duplicated and modified.

      ```
      securityHeaders:
        # Configure the values that the Policy Editor will set in its
        # responses for the X-Frame-Options, Content-Security-Policy, and/or
        # Access-Control-Allow-Origin HTTP security headers here.
        #
        # X-Frame-Options: "deny"
        # Content-Security-Policy: "default-src https:"
        # Access-Control-Allow-Origin: "*"
        X-Frame-Options: "sameorigin"
      ```

3. Stop the Policy Editor.

   ```shell
   $ bin/stop-server
   ```

4. Run `setup` using the `--optionsFile` argument.

   ```shell
   $ bin/setup demo \
     --adminUsername admin \
     --generateSelfSignedCertificate \
     --decisionPointSharedSecret pingauthorize \
     --hostname   <pap-hostname>  \
     --port   <pap-port>  \
     --adminPort   <admin-port>  \
     --licenseKeyFile   <path-to-license>  \
     --optionsFile my-options.yml
   ```

5. Start the Policy Editor.

   ```shell
   $ bin/start-server
   ```