I think it would be a good idea to have something like this as an option in Wicket. Something to turn on with a one-liner for the application. There are a bunch of these headers that are useful, plus I recently came across this:
https://dev.to/ben/the-targetblank-vulnerability-by-example Should we perhaps also add something that adds the rel="noopener" attribute to links with target="_blank"? I'm all for making these security things as easy as possible for the developer. Carl-Eric On Sat, 27 Aug 2016 18:08:36 +0200 Martin Grigorov <[email protected]> wrote: > Hi, > > We use Spring Security in all our applications. > It adds these response headers for free. > > Any other Servlet Filter could do the same but I don't mind adding > facilities in Wicket too. > > Btw one of the security experts from OWASP audited our applications > in the last few weeks. Although he've found few problems here and > there he said very nice words for Wicket! > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < > [email protected]> wrote: > > > Hi, > > > > Mozilla just made a tool public which allows to scan websites for > > security risks. Maybe we can somehow add a default set of headers > > to the page rendering of Wicket / apply other security relevant > > implementations. Or we are able to make them at least optional: > > > > https://observatory.mozilla.org > > > > Example header: > > > > https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection > > > > What so you think about that idea? > > > > kind regards > > > > Tobias
