[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15055499#comment-15055499
]
Jacques Le Roux commented on OFBIZ-6766:
----------------------------------------
While working on a mean to introduce X-XSS-Protection in OFBiz I stumbled upon
[this exchange between Jacopo and Mark Thomas about HttpHeaderSecurityFilter on
the Tomcat users
ML|https://mail-archives.apache.org/mod_mbox/tomcat-users/201510.mbox/%[email protected]%3E].
[~jacopoc] I did not find any progress, do you have something working on your
side?
BTW AFAIK, unlike the <cookie-config> and <tracking-mode> <session-config>
attributes (see OFBIZ-6655), the
[HttpHeaderSecurityFilter|https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter]
is Tomcat specific (started at 7.0.63). So I believe is nice to have but not
sufficient. Though we are not providing means to use another app server, users
could have their own ways and then I don't think HttpHeaderSecurityFilter would
be used.
In the same spirit, I think we should also embed the
[RestCsrfPreventionFilter|https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs]
and maybe [CORS
Filter|https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter]
and even maybe others there (Expires Filter, etc.)
> Secure HTTP headers
> -------------------
>
> Key: OFBIZ-6766
> URL: https://issues.apache.org/jira/browse/OFBIZ-6766
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
>
> I have created a wiki page for this
> https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
