[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058368#comment-15058368
]
Forrest Rae commented on OFBIZ-6766:
------------------------------------
Jacques,
In the spirit of secure by default I'd like to throw my vote in for
HttpHeaderSecurityFilter being enabled by default moving forward.
hstsEnabled is an absolute must, do this over the other two. A work around if
you leverage the mod_ajpproxy setup of Apache server in front of Tomcat, there
is a really awesome Apache config found in the Better Crypto Guide that enables
HSTS here: https://bettercrypto.org
blockContentTypeSniffingEnabled would really help in situations where file
uploads are replayed back to another user's web browser to prevent arbitrary
HTML and JavaScript being executed in the SAMEORIGIN. More info:
http://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks
Clickjacking can be more severe than you think, and any counter measures you
can provide would be great for users.
> Secure HTTP headers
> -------------------
>
> Key: OFBIZ-6766
> URL: https://issues.apache.org/jira/browse/OFBIZ-6766
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
>
> I have created a wiki page for this
> https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
