Am 14.12.2017 um 21:03 schrieb Ryan Ollos:


On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <torgerie...@gmx.de 
<mailto:torgerie...@gmx.de>> wrote:

    Hi,

    I've set up a trac via https using latest stable trac (1.2.2).

    I've found a nice tool checking site configuration: 
https://observatory.mozilla.org/ <https://observatory.mozilla.org/>

    Checking my trac installation I got a poor "D" rating.

    Following is the list of tests failed resulting in a negative score:

    Test     Score Explanation
    Content Security Policy     -25         Content Security Policy (CSP) 
header not implemented
    Contribute.json                 -10 Contribute.json file cannot be parsed
    X-Content-Type-Options    -5 X-Content-Type-Options header not implemented
    X-Frame-Options               -20         X-Frame-Options (XFO) header not 
implemented
    X-XSS-Protection               -10 X-XSS-Protection header not implemented

    Since other sites hosted on my server get better ratings there must be a 
chance to fix this in the code. Another way is to add such headers to the 
apache config, but I'm not sure whether I am breaking something in trac and 
it's less flexible.

    Is there a chance to improve the headers trac is sending? Can I help with 
whatever is helpful?

    Regards
    Torge


Some of all of this may be best addressed through your web server 
configuration. Are you running Apache?

- Ryan
--
You received this message because you are subscribed to the Google Groups "Trac 
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to 
trac-dev+unsubscr...@googlegroups.com 
<mailto:trac-dev+unsubscr...@googlegroups.com>.
To post to this group, send email to trac-dev@googlegroups.com 
<mailto:trac-dev@googlegroups.com>.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.

Yes, I am running apache. And I have full access to my server. Others might not 
have full access to the apache config and are able to add headers or 
mod_headers is not activated.

That's why I think as much as possible of such headers should be sent by trac.

--
You received this message because you are subscribed to the Google Groups "Trac 
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to trac-dev+unsubscr...@googlegroups.com.
To post to this group, send email to trac-dev@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to