Thank you, all. Here is the Jira ticket <https://issues.apache.org/jira/browse/OFBIZ-10597> for the same. FYI, I have included cache related properties also in the Jira ticket.
Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd. On Mon, Oct 8, 2018 at 1:53 PM Deepak Dixit <deepak.di...@hotwax.co> wrote: > In RequestHandler they are added to the renderView method, > I think these should move to another place as if the controller uses > any other type instead view these headers will not be added to the > response. > > Also we can add a separate method in UtiHttp similar to > setResponseBrowserProxyNoCache that will add these security headers. > > Thanks & Regards > -- > Deepak Dixit > > > On Mon, Oct 8, 2018 at 1:43 PM, jler...@apache.org <jler...@apache.org> > wrote: > > > They are put in in RequesHandler. There is a "Security header" block > > > > Jacques > > > > > > > > Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : > > > >> Hi Deepak, > >> > >> Sounds good. Are these headers applied everywhere except CMS? If no then > >> why not apply them everywhere? > >> > >> > >> On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <deepak.nigam1...@gmail.com> > >> wrote: > >> > >> Hello All, > >>> > >>> While rendering the view through the controller request we set the > >>> important security headers like x-frame-options, > >>> strict-transport-security, > >>> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in > the > >>> response object. (Please see the 'rendervView' method of RequestHandler > >>> class.) But these security headers are missing in the pages rendered > >>> through CMS. (Please visit the CmsEvents class). > >>> > >>> These headers are very crucial for the security of the application as > >>> they > >>> help to prevent various security threats like cross-site scripting, > >>> cross-site request forgery, clickjacking etc. > >>> > >>> IMO, we should add these security headers in the response object > prepared > >>> through the CMS also. WDYT? > >>> > >>> Thanks & Regards > >>> -- > >>> Deepak Nigam > >>> HotWax Systems Pvt. Ltd. > >>> > >>> >