In RequestHandler they are added to the renderView method, I think these should move to another place as if the controller uses any other type instead view these headers will not be added to the response.
Also we can add a separate method in UtiHttp similar to setResponseBrowserProxyNoCache that will add these security headers. Thanks & Regards -- Deepak Dixit On Mon, Oct 8, 2018 at 1:43 PM, jler...@apache.org <jler...@apache.org> wrote: > They are put in in RequesHandler. There is a "Security header" block > > Jacques > > > > Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : > >> Hi Deepak, >> >> Sounds good. Are these headers applied everywhere except CMS? If no then >> why not apply them everywhere? >> >> >> On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <deepak.nigam1...@gmail.com> >> wrote: >> >> Hello All, >>> >>> While rendering the view through the controller request we set the >>> important security headers like x-frame-options, >>> strict-transport-security, >>> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the >>> response object. (Please see the 'rendervView' method of RequestHandler >>> class.) But these security headers are missing in the pages rendered >>> through CMS. (Please visit the CmsEvents class). >>> >>> These headers are very crucial for the security of the application as >>> they >>> help to prevent various security threats like cross-site scripting, >>> cross-site request forgery, clickjacking etc. >>> >>> IMO, we should add these security headers in the response object prepared >>> through the CMS also. WDYT? >>> >>> Thanks & Regards >>> -- >>> Deepak Nigam >>> HotWax Systems Pvt. Ltd. >>> >>>