+1
Jacques
Le 08/10/2018 à 10:23, Deepak Dixit a écrit :
In RequestHandler they are added to the renderView method,
I think these should move to another place as if the controller uses
any other type instead view these headers will not be added to the response.
Also we can add a separate method in UtiHttp similar to
setResponseBrowserProxyNoCache that will add these security headers.
Thanks & Regards
--
Deepak Dixit
On Mon, Oct 8, 2018 at 1:43 PM, jler...@apache.org <jler...@apache.org>
wrote:
They are put in in RequesHandler. There is a "Security header" block
Jacques
Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit :
Hi Deepak,
Sounds good. Are these headers applied everywhere except CMS? If no then
why not apply them everywhere?
On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <deepak.nigam1...@gmail.com>
wrote:
Hello All,
While rendering the view through the controller request we set the
important security headers like x-frame-options,
strict-transport-security,
x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the
response object. (Please see the 'rendervView' method of RequestHandler
class.) But these security headers are missing in the pages rendered
through CMS. (Please visit the CmsEvents class).
These headers are very crucial for the security of the application as
they
help to prevent various security threats like cross-site scripting,
cross-site request forgery, clickjacking etc.
IMO, we should add these security headers in the response object prepared
through the CMS also. WDYT?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
