[
https://issues.apache.org/jira/browse/OFBIZ-10597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-10597.
-----------------------------------
Resolution: Fixed
Fix Version/s: 16.11.06
17.12.01
Fixed in
trunk r1845418+1845420 (damn, forgot cmsevent in 1st commit)
R17.12 r1845419+1845421
R16.11 r1845422
> Missing Security and Cache Headers in CMS Events
> ------------------------------------------------
>
> Key: OFBIZ-10597
> URL: https://issues.apache.org/jira/browse/OFBIZ-10597
> Project: OFBiz
> Issue Type: Bug
> Components: cmssite, securityext
> Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12
> Reporter: Deepak Nigam
> Assignee: Deepak Nigam
> Priority: Major
> Fix For: 17.12.01, 16.11.06
>
> Attachments: OFBIZ-10597.diff, OFBiz-10597.patch
>
>
> While rendering the view through the controller request we set the important
> security headers like x-frame-options, strict-transport-security,
> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the
> response object. (Please see the 'rendervView' method of RequestHandler
> class.)
>
> In the similar line, we set the cache related headers like Expires,
> Last-Modified, Cache-Control, Pragma.
>
> But these security headers are missing in the pages rendered through CMS.
> (Please visit the CmsEvents class).
>
> These headers are very crucial for the security of the application as they
> help to prevent various security threats like cross-site scripting,
> cross-site request forgery, clickjacking etc.
>
> IMO, we should add these security headers in the response object prepared
> through the CMS also. WDYT?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
