Robert Muir created SOLR-13982:
----------------------------------
Summary: set security-related http response headers by default
Key: SOLR-13982
URL: https://issues.apache.org/jira/browse/SOLR-13982
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Robert Muir
Solr server should set some best practice http security response headers, to
e.g. protect users of the admin ui against XSS/injection/clickjacking/etc
* Content-Security-Policy
* X-Content-Type-Options
* X-XSS-Protection
* X-Frame-Options
Disabling inline javascript is important, so that e.g. if there is a bug then
injected code doesn't get executed. Unfortunately the current admin UI
dangerously relies on {{eval}}, so for now {{unsafe-eval}} must be allowed so
that everything still works. This should really be cleaned up, i have the
feeling as long as it works this way, that you can still execute stuff.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
