Robert Muir created SOLR-13982: ---------------------------------- Summary: set security-related http response headers by default Key: SOLR-13982 URL: https://issues.apache.org/jira/browse/SOLR-13982 Project: Solr Issue Type: Improvement Security Level: Public (Default Security Level. Issues are Public) Reporter: Robert Muir
Solr server should set some best practice http security response headers, to e.g. protect users of the admin ui against XSS/injection/clickjacking/etc * Content-Security-Policy * X-Content-Type-Options * X-XSS-Protection * X-Frame-Options Disabling inline javascript is important, so that e.g. if there is a bug then injected code doesn't get executed. Unfortunately the current admin UI dangerously relies on {{eval}}, so for now {{unsafe-eval}} must be allowed so that everything still works. This should really be cleaned up, i have the feeling as long as it works this way, that you can still execute stuff. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org