Hi Deepak, Sounds good. Are these headers applied everywhere except CMS? If no then why not apply them everywhere?
On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <deepak.nigam1...@gmail.com> wrote: > Hello All, > > While rendering the view through the controller request we set the > important security headers like x-frame-options, strict-transport-security, > x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the > response object. (Please see the 'rendervView' method of RequestHandler > class.) But these security headers are missing in the pages rendered > through CMS. (Please visit the CmsEvents class). > > These headers are very crucial for the security of the application as they > help to prevent various security threats like cross-site scripting, > cross-site request forgery, clickjacking etc. > > IMO, we should add these security headers in the response object prepared > through the CMS also. WDYT? > > Thanks & Regards > -- > Deepak Nigam > HotWax Systems Pvt. Ltd. >