[
https://issues.apache.org/jira/browse/OFBIZ-10597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16641745#comment-16641745
]
Deepak Nigam commented on OFBIZ-10597:
--------------------------------------
Added a separate method 'setResponseBrowserDefaultSecurityHeaders' in UtiHttp
similar to 'setResponseBrowserProxyNoCache' and called it from RequestHandler
and CmsEvents class.
Exploring other options to properly place the security headers so that if the
controller uses any other type rather than 'view', these headers will be
available.
> Missing Security and Cache Headers in CMS Events
> ------------------------------------------------
>
> Key: OFBIZ-10597
> URL: https://issues.apache.org/jira/browse/OFBIZ-10597
> Project: OFBiz
> Issue Type: Improvement
> Components: cmssite, securityext
> Affects Versions: Trunk
> Reporter: Deepak Nigam
> Assignee: Deepak Nigam
> Priority: Major
> Attachments: OFBiz-10597.patch
>
>
> While rendering the view through the controller request we set the important
> security headers like x-frame-options, strict-transport-security,
> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the
> response object. (Please see the 'rendervView' method of RequestHandler
> class.)
>
> In the similar line, we set the cache related headers like Expires,
> Last-Modified, Cache-Control, Pragma.
>
> But these security headers are missing in the pages rendered through CMS.
> (Please visit the CmsEvents class).
>
> These headers are very crucial for the security of the application as they
> help to prevent various security threats like cross-site scripting,
> cross-site request forgery, clickjacking etc.
>
> IMO, we should add these security headers in the response object prepared
> through the CMS also. WDYT?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
