Re: Missing Security Headers in CMS Events

2018-10-08 Thread Jacques Le Roux
+1 Jacques Le 08/10/2018 à 10:23, Deepak Dixit a écrit : In RequestHandler they are added to the renderView method, I think these should move to another place as if the controller uses any other type instead view these headers will not be added to the response. Also we can add a separate

Re: Missing Security Headers in CMS Events

2018-10-08 Thread Deepak Nigam
Thank you, all. Here is the Jira ticket for the same. FYI, I have included cache related properties also in the Jira ticket. Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd. On Mon, Oct 8, 2018 at 1:53 PM Deepak Dixit wrote: > In

Re: Missing Security Headers in CMS Events

2018-10-08 Thread Deepak Dixit
In RequestHandler they are added to the renderView method, I think these should move to another place as if the controller uses any other type instead view these headers will not be added to the response. Also we can add a separate method in UtiHttp similar to setResponseBrowserProxyNoCache that

Re: Missing Security Headers in CMS Events

2018-10-08 Thread jler...@apache.org
Good catch Deepak, A Jira fits Jacques Le 08/10/2018 à 07:02, Deepak Nigam a écrit : Hello All, While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and

Re: Missing Security Headers in CMS Events

2018-10-08 Thread jler...@apache.org
They are put in in RequesHandler. There is a "Security header" block Jacques Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : Hi Deepak, Sounds good. Are these headers applied everywhere except CMS? If no then why not apply them everywhere? On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam wrote:

Re: Missing Security Headers in CMS Events

2018-10-08 Thread Taher Alkhateeb
Hi Deepak, Sounds good. Are these headers applied everywhere except CMS? If no then why not apply them everywhere? On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam wrote: > Hello All, > > While rendering the view through the controller request we set the > important security headers like

Missing Security Headers in CMS Events

2018-10-07 Thread Deepak Nigam
Hello All, While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the response object. (Please see the 'rendervView' method of