Missing security headers #650

cedneve · 2023-02-05T15:17:50Z

cedneve
Feb 5, 2023

As part of an external pentest, the following recommendation was formulated for Oxalis:

Configure the following HTTP headers:
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy
• Content-Security-Policy
• X-Frame-Options
• Strict-Transport-Security (for HTTPS only)

It seems those security headers are missing in the HTTP responses leading to a medium security issue.

Could you add those or do you wish that we propose a fix to be merged into Oxalis to fix this ?

dladlk · 2023-02-06T13:51:51Z

dladlk
Feb 6, 2023
Maintainer

0 replies

runekock · 2023-05-04T18:17:42Z

runekock
May 4, 2023

@cedneve
Those headers are for browsers. I don't think they accomplish anything in this context. If you disagree, please explain for each header why it is a good idea.

0 replies

aaron-kumar · 2023-12-09T14:58:52Z

aaron-kumar
Dec 9, 2023
Maintainer

Things like "Strict-Transport-Security (for HTTPS only)" can be set it through Servlet container like Tomcat and e.g. through Cloudfront. Outside the scope of Oxalis.
Converting it to discussion, just in case you want to continue discussion...

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing security headers #650

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

Missing security headers #650

cedneve Feb 5, 2023

Replies: 3 comments

dladlk Feb 6, 2023 Maintainer

runekock May 4, 2023

aaron-kumar Dec 9, 2023 Maintainer

cedneve
Feb 5, 2023

dladlk
Feb 6, 2023
Maintainer

runekock
May 4, 2023

aaron-kumar
Dec 9, 2023
Maintainer