Hi, We use Spring Security in all our applications. It adds these response headers for free.
Any other Servlet Filter could do the same but I don't mind adding facilities in Wicket too. Btw one of the security experts from OWASP audited our applications in the last few weeks. Although he've found few problems here and there he said very nice words for Wicket! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < [email protected]> wrote: > Hi, > > Mozilla just made a tool public which allows to scan websites for security > risks. Maybe we can somehow add a default set of headers to the page > rendering of Wicket / apply other security relevant implementations. Or we > are able to make them at least optional: > > https://observatory.mozilla.org > > Example header: > > https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection > > What so you think about that idea? > > kind regards > > Tobias
