Hi, in a Wicket 8.8.0 application, I am following what suggested in https://ci.apache.org/projects/wicket/guide/8.x/single.html#_external_security_checks
to add Content-Security-Policy header into response. My application extends AuthenticatedWebApplication so, when accessing the root page, I receive an HTTP 302 redirect to /login;jsessionid=<something> which is expected. Unfortunately, as far as I can tell, the Content-Security-Policy header is included in the initial request to the root page but missing when I am getting the login page, following the redirect. Is there anything obvious I am missing here? Thanks in advance. Regards. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
