ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Taher Alkhateeb <slidingfilame...@gmail.com>
Subject Re: Missing Security Headers in CMS Events
Date Mon, 08 Oct 2018 07:17:11 GMT
Hi Deepak,

Sounds good. Are these headers applied everywhere except CMS? If no then
why not apply them everywhere?

On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <deepak.nigam1990@gmail.com>

> Hello All,
> While rendering the view through the controller request we set the
> important security headers like x-frame-options, strict-transport-security,
> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the
> response object. (Please see the 'rendervView' method of RequestHandler
> class.) But these security headers are missing in the pages rendered
> through CMS. (Please visit the CmsEvents class).
> These headers are very crucial for the security of the application as they
> help to prevent various security threats like cross-site scripting,
> cross-site request forgery, clickjacking etc.
> IMO, we should add these security headers in the response object prepared
> through the CMS also. WDYT?
> Thanks & Regards
> --
> Deepak Nigam
> HotWax Systems Pvt. Ltd.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message