simulator-common, version 2.5, was updated to support security check. To enable the security check on simulators you have to :

• login as admin
• go to : administration/configure.seam. This page is included on simulator-common, so accessible by any simulator
• if it is the first time you are enabling the security check,
  
  • you have to click on the button : Set default http headers value. This will update all missing application preferences related to http security headers.
  • update the application preference: security-policies,  set its value to true
    
  • you have then to click on the button : Update http header security policies
• to verify that the security headers are enabled, you can use firebug :
  
  • open firebug tool
  • enable "network" menu
  • reupload the home page
  • click on the GET request catched by firebug
  • verify that the header of the GET response contains attributes : X-WebKit-CSP-Report-Only,
    x-content-security-policy...