Deepak Nigam created OFBIZ-10597:
------------------------------------
Summary: Missing Security and Cache Headers in CMS Events
Key: OFBIZ-10597
URL: https://issues.apache.org/jira/browse/OFBIZ-10597
Project: OFBiz
Issue Type: Improvement
Components: securityext
Affects Versions: Trunk
Reporter: Deepak Nigam
Assignee: Deepak Nigam
While rendering the view through the controller request we set the important
security headers like x-frame-options, strict-transport-security,
x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the
response object. (Please see the 'rendervView' method of RequestHandler class.)
In the similar line, we set the cache related headers like Expires,
Last-Modified, Cache-Control, Pragma.
But these security headers are missing in the pages rendered through CMS.
(Please visit the CmsEvents class).
These headers are very crucial for the security of the application as they help
to prevent various security threats like cross-site scripting, cross-site
request forgery, clickjacking etc.
IMO, we should add these security headers in the response object prepared
through the CMS also. WDYT?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
