Am 14.12.2017 um 21:03 schrieb Ryan Ollos:
On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <torgerie...@gmx.de <mailto:torgerie...@gmx.de>> wrote: Hi, I've set up a trac via https using latest stable trac (1.2.2). I've found a nice tool checking site configuration: https://observatory.mozilla.org/ <https://observatory.mozilla.org/> Checking my trac installation I got a poor "D" rating. Following is the list of tests failed resulting in a negative score: Test Score Explanation Content Security Policy -25 Content Security Policy (CSP) header not implemented Contribute.json -10 Contribute.json file cannot be parsed X-Content-Type-Options -5 X-Content-Type-Options header not implemented X-Frame-Options -20 X-Frame-Options (XFO) header not implemented X-XSS-Protection -10 X-XSS-Protection header not implemented Since other sites hosted on my server get better ratings there must be a chance to fix this in the code. Another way is to add such headers to the apache config, but I'm not sure whether I am breaking something in trac and it's less flexible. Is there a chance to improve the headers trac is sending? Can I help with whatever is helpful? Regards Torge Some of all of this may be best addressed through your web server configuration. Are you running Apache? - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com <mailto:trac-dev+unsubscr...@googlegroups.com>. To post to this group, send email to trac-dev@googlegroups.com <mailto:trac-dev@googlegroups.com>. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
Yes, I am running apache. And I have full access to my server. Others might not have full access to the apache config and are able to add headers or mod_headers is not activated. That's why I think as much as possible of such headers should be sent by trac. -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com. To post to this group, send email to trac-dev@googlegroups.com. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
