[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16480660#comment-16480660
]
Jacques Le Roux edited comment on OFBIZ-6766 at 5/23/18 8:48 PM:
-----------------------------------------------------------------
Reading
[https://www.fastly.com/blog/headers-we-dont-want]
and then checking at
[https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Cache-Control]
[https://stackoverflow.com/questions/34663916/are-cache-control-pre-check-and-post-check-headers-still-supported-by-ie]
[https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/]
I see that we can update our headers:
* Expires: Fastly recommends to remove but Mozilla is more conservative:
keeping
* Pragma: same
* Cache-Control: same + adding private
* Cache-Control post-check and pre-check: according to Stackoverflow and
especially Microsoft, removing
* x-frame-options: see my comment in user ML at
[https://markmail.org/message/hcw7du22vqcbe4oo] TL;DR better to use a CSP policy
* x-ua-compatible: it's only in html files. I think it's more history and
cargo cult, but I'll though ask on dev ML
* others: we are not concerned :)
I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
x-ua-compatible on dev ML before committing
was (Author: jacques.le.roux):
Reading
https://www.fastly.com/blog/headers-we-dont-want
and then checking at
https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Cache-Control
https://stackoverflow.com/questions/34663916/are-cache-control-pre-check-and-post-check-headers-still-supported-by-ie
https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/
I see that we can update our headers:
* Expires: Fastly recommends to remove but Mozilla is more concervative: keeping
* Pragma: same
* Cache-Control: same + adding private
* Cache-Control post-check and pre-check: according to Stackoverflow and
especially Microsoft, removing
* x-frame-options: see my comment in user ML at
https://markmail.org/message/hcw7du22vqcbe4oo TL;DR better to use a CSP policy
* x-ua-compatible: it's only in html files. I think it's more history and cargo
cult, but I'll though ask on dev ML
* others: we are not concerned :)
I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
x-ua-compatible on dev ML before committing
> Secure HTTP headers
> -------------------
>
> Key: OFBIZ-6766
> URL: https://issues.apache.org/jira/browse/OFBIZ-6766
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.01
>
> Attachments: OFBIZ-6766-UtilHttp.java.patch
>
>
> I have created a wiki page for this
> https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
