From dev-return-111711-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Mon Oct 8 09:17:39 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 8699D180652 for ; Mon, 8 Oct 2018 09:17:38 +0200 (CEST) Received: (qmail 52822 invoked by uid 500); 8 Oct 2018 07:17:32 -0000 Mailing-List: contact dev-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list dev@ofbiz.apache.org Received: (qmail 52804 invoked by uid 99); 8 Oct 2018 07:17:31 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Oct 2018 07:17:31 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 179E91A02A8 for ; Mon, 8 Oct 2018 07:17:31 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.888 X-Spam-Level: * X-Spam-Status: No, score=1.888 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id imUOLeJMFWD7 for ; Mon, 8 Oct 2018 07:17:30 +0000 (UTC) Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 657F25F1B9 for ; Mon, 8 Oct 2018 07:17:29 +0000 (UTC) Received: by mail-yb1-f181.google.com with SMTP id o8-v6so7880563ybk.13 for ; Mon, 08 Oct 2018 00:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=oigoatJ1skfsZ4GYFwuuqI1ZD9J7Cw1o1McZ49xfqLs=; b=mw50MT74KtFGVcKSZ/kCcUZ2x8Ckpu8zHbFt9TAlgrHz4XwZT5CwghoCploULY6ZOW /5OnrAo/21LC+bziPFkxncXvI5xCHNF8KzJnYTFNiT4uI7F0yJK8KX7gZ/CMLM8srT/s 9bucltbO2ks7/7Lxj2Eoz0HDP1OJq71JJVfxS249gqZyxZ9qJUvbZ/bBzFeYgvbYS6Um 6o68utAUOs4rQdMDaCWKcEFj6dHYZldfRRQQHx0RzIAhzRBWE5RuhH+7Os6BiaSVdnMt u9E1HNukIF54EflthnKaDd0LrYWeYwQ1HZ0NWMpeuDSpjBi0gvg2Ocqnt0vaJos7nlsa ePBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=oigoatJ1skfsZ4GYFwuuqI1ZD9J7Cw1o1McZ49xfqLs=; b=eNA8BeIXyzOyVA+JyVfG5Y69rxe0S62TB8ZKb7OyBIFeNt3sTYwKQXXiIlukPc91VK HgGKX3v10i+M6x4g/CZzOCWY/EChBQlTdgWnm0/6KRu2757QV9lwTexsadotggWum/ln yuCDH8PUe39WJdwQrE8No+8N75YiNEX7j0rUwqHNBo62fn4J6xDOmCACSG9C+MLpkhFt LJ2A+Wp1nhU1ex10oxkDJfZ47ZGhm/e8kA14wN2mhBgF3be//kEiPR8YAtYhc00H0cI8 7skQDk57oaHcTXNSD0JKLvZrd/AtggzKnM5sW9mcBx8NEj7qr3g1g9iWGcG/KsCLwVbx 5lQw== X-Gm-Message-State: ABuFfoimVkaU3szTcM7mxXCds6BjKctxPxcF5BEIoZy4+be0hjYbOaIa Yn0i1bZUp6cl7RInfuoUt6+SqQZ4Mor7PupU9ZlI/Erh X-Google-Smtp-Source: ACcGV6359ktyc+H2RFm+DOOrvXX05I8rlcqJJBceoWcoQUk5ik9QnuAibOWpURvBZtyHgqNrys8WMAT/QPVn54bBSkg= X-Received: by 2002:a5b:58f:: with SMTP id l15-v6mr12280552ybp.76.1538983041745; Mon, 08 Oct 2018 00:17:21 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Taher Alkhateeb Date: Mon, 8 Oct 2018 11:17:11 +0400 Message-ID: Subject: Re: Missing Security Headers in CMS Events To: OFBiz development mailing list Content-Type: multipart/alternative; boundary="00000000000084c5d20577b26910" --00000000000084c5d20577b26910 Content-Type: text/plain; charset="UTF-8" Hi Deepak, Sounds good. Are these headers applied everywhere except CMS? If no then why not apply them everywhere? On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam wrote: > Hello All, > > While rendering the view through the controller request we set the > important security headers like x-frame-options, strict-transport-security, > x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the > response object. (Please see the 'rendervView' method of RequestHandler > class.) But these security headers are missing in the pages rendered > through CMS. (Please visit the CmsEvents class). > > These headers are very crucial for the security of the application as they > help to prevent various security threats like cross-site scripting, > cross-site request forgery, clickjacking etc. > > IMO, we should add these security headers in the response object prepared > through the CMS also. WDYT? > > Thanks & Regards > -- > Deepak Nigam > HotWax Systems Pvt. Ltd. > --00000000000084c5d20577b26910--