Am 14.12.2017 um 21:03 schrieb Ryan Ollos:
On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <[email protected] <mailto:[email protected]>> wrote: Hi, I've set up a trac via https using latest stable trac (1.2.2). I've found a nice tool checking site configuration: https://observatory.mozilla.org/ <https://observatory.mozilla.org/> Checking my trac installation I got a poor "D" rating. Following is the list of tests failed resulting in a negative score: Test Score Explanation Content Security Policy -25 Content Security Policy (CSP) header not implemented Contribute.json -10 Contribute.json file cannot be parsed X-Content-Type-Options -5 X-Content-Type-Options header not implemented X-Frame-Options -20 X-Frame-Options (XFO) header not implemented X-XSS-Protection -10 X-XSS-Protection header not implemented Since other sites hosted on my server get better ratings there must be a chance to fix this in the code. Another way is to add such headers to the apache config, but I'm not sure whether I am breaking something in trac and it's less flexible. Is there a chance to improve the headers trac is sending? Can I help with whatever is helpful? Regards Torge Some of all of this may be best addressed through your web server configuration. Are you running Apache? - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>. To post to this group, send email to [email protected] <mailto:[email protected]>. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
Yes, I am running apache. And I have full access to my server. Others might not have full access to the apache config and are able to add headers or mod_headers is not activated. That's why I think as much as possible of such headers should be sent by trac. -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
