Inspect and fix Microsoft Edge (Chromium) issues.

[kdubious]

Missing x-content-type-options :

[Skrypt]

Ok let's open up a single issue for these that says. Inspect and fix Microsoft Edge (Chromium) issues.
We need to list them and investigate if they are requiring action(s).

[kdubious]

1. A 'cache-control' header contains directives which are not recommended: 'no-store'
2. A 'cache-control' header contains directives with invalid values: 's-max-age=31557600'
3. A 'set-cookie' header doesn't have the 'httponly' directive.
4. Response should include 'x-content-type-options' header.
5. The 'Pragma' header should not be used, it is deprecated and is a request header only.
6. The 'server' header should only contain the server name.
   7. Response should not include disallowed headers: x-powered-by [ignore, see Should not use 'x-powered-by' #8910]

[sebastienros]

Where is that list of issues/recommendations coming from?

Also I read recently that x-apple-orange is not recommended anymore, and that we should just use apple-orange

[kdubious]

@sebastienros, it's coming from me. And I am getting it from the "Issues" tab in "Edge."

https://webhint.io/

[Skrypt]

[Piedone]

What Edge currently shows are quite different. E.g. on /Admin I see:

Only the first is applicable, which is an accessibility issue, tracked under #15222.

The above-mentioned security issues are a matter of configuration and hosting environment (see the Security module and https://github.com/Lombiq/Helpful-Libraries/blob/dev/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md), so not generally applicable.

Please open specific issues for specific problems, with a rationale attached.