At one of our sites we have a Pulse Secure appliance for remote access, purely with the Pulse Secure Desktop client. Their security officer has scanned the gateway (apparently with Qualys) and complains about it not sending specific HTTP headers in its responses, as mentioned here.
I tried to argue that the gateway is not supposed to be accessed with a web browser in the first place, XSS filters are enabled in modern browsers in the first place and there's no way to upload benign files to exploit MIME type mismatches. The gateway already does send the "X-Frame-Options: SAMEORIGIN" header.
Can you think of more/better arguments or can someone provide a technical document i could forward to them to convince them?
Re: Qualys finding: HTTP Security Header Not Detected
Thank you for your question. Depending on the software version, this information may change. Please open a support ticket at https://my.pulsesecure.net, provide the scan report and our PSIRT (Pulse Security Incident Response Team) will review and respond accordingly. For more information about our PSIRT team, please refer to https://www.pulsesecure.net/psirt/.