[ https://issues.apache.org/jira/browse/OFBIZ-10597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-10597. ----------------------------------- Resolution: Fixed Fix Version/s: 16.11.06 17.12.01 Fixed in trunk r1845418+1845420 (damn, forgot cmsevent in 1st commit) R17.12 r1845419+1845421 R16.11 r1845422 > Missing Security and Cache Headers in CMS Events > ------------------------------------------------ > > Key: OFBIZ-10597 > URL: https://issues.apache.org/jira/browse/OFBIZ-10597 > Project: OFBiz > Issue Type: Bug > Components: cmssite, securityext > Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12 > Reporter: Deepak Nigam > Assignee: Deepak Nigam > Priority: Major > Fix For: 17.12.01, 16.11.06 > > Attachments: OFBIZ-10597.diff, OFBiz-10597.patch > > > While rendering the view through the controller request we set the important > security headers like x-frame-options, strict-transport-security, > x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the > response object. (Please see the 'rendervView' method of RequestHandler > class.) > > In the similar line, we set the cache related headers like Expires, > Last-Modified, Cache-Control, Pragma. > > But these security headers are missing in the pages rendered through CMS. > (Please visit the CmsEvents class). > > These headers are very crucial for the security of the application as they > help to prevent various security threats like cross-site scripting, > cross-site request forgery, clickjacking etc. > > IMO, we should add these security headers in the response object prepared > through the CMS also. WDYT? -- This message was sent by Atlassian JIRA (v7.6.3#76005)