On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <torgerie...@gmx.de> wrote:
> Hi, > > I've set up a trac via https using latest stable trac (1.2.2). > > I've found a nice tool checking site configuration: > https://observatory.mozilla.org/ > > Checking my trac installation I got a poor "D" rating. > > Following is the list of tests failed resulting in a negative score: > > Test Score Explanation > Content Security Policy -25 Content Security Policy (CSP) > header not implemented > Contribute.json -10 Contribute.json file cannot be > parsed > X-Content-Type-Options -5 X-Content-Type-Options header not > implemented > X-Frame-Options -20 X-Frame-Options (XFO) header not > implemented > X-XSS-Protection -10 X-XSS-Protection header not > implemented > > Since other sites hosted on my server get better ratings there must be a > chance to fix this in the code. Another way is to add such headers to the > apache config, but I'm not sure whether I am breaking something in trac and > it's less flexible. > > Is there a chance to improve the headers trac is sending? Can I help with > whatever is helpful? > > Regards > Torge > Some of all of this may be best addressed through your web server configuration. Are you running Apache? - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com. To post to this group, send email to trac-dev@googlegroups.com. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
