Good catch Deepak, A Jira fits
Jacques Le 08/10/2018 à 07:02, Deepak Nigam a écrit :
Hello All, While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the response object. (Please see the 'rendervView' method of RequestHandler class.) But these security headers are missing in the pages rendered through CMS. (Please visit the CmsEvents class). These headers are very crucial for the security of the application as they help to prevent various security threats like cross-site scripting, cross-site request forgery, clickjacking etc. IMO, we should add these security headers in the response object prepared through the CMS also. WDYT? Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd.
