Configure security headers for P4 Code Review

P4 Code Review relies on standard HTTP security headers to protect against common web risks such as clickjacking, cross‑site scripting (XSS), and MIME‑type sniffing. Missing or incorrectly configured headers can reduce overall security.

P4 Code Review deployments should review and correctly configure key headers, including:

• Content‑Security‑Policy (CSP) – restricts which resources the browser may load.

• X‑Frame‑Options – prevents clickjacking; typically set to SAMEORIGIN.

• X‑Content‑Type‑Options – prevents MIME‑type sniffing (nosniff).

• Strict‑Transport‑Security (HSTS) – enforces HTTPS-only access.

These headers are usually set in the web server or proxy that fronts P4 Code Review.

Regularly audit your deployment to confirm that required headers are present and functioning as expected. After making changes, verify that P4 Code Review pages, reviews, and integrations continue to behave normally.

For additional guidance, see:

• Security - For how to configure the security within P4 Code Review

• Secure P4 Code Review - For additional information on security hardening.