Consider adding more security headers #8
Comments
|
yeah, just requested today consider adding X-Frame-Options |
@Mitsurugi like I previously said: can you open a pull request ? Thanks! :) |
|
yeah, i know it i know it, but i need to understand fork properly and do the correct procedure! |
|
I think that ive done correct #9 |
alrra
added a commit
that referenced
this issue
Oct 31, 2013
For compatibility reasons (e.g.: legacy servers that serve all files as `text/plain`), IE 8+ has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, IE may report a MIME type different than the type speci- fied by the web server. For instance, if IE finds HTML content in a file delivered with the HTTP response header `Content-Type: text/plain`, it determines that the content should be rendered as HTML. Unfortunately, MIME-sniffing can also lead to security problems for servers hosting untrusted content. Fortunately, IE provides web apps with the ability to opt-out of MIME-sniffing by sending the `X-Content-Type-Options` response header with the value `nosniff`. This will prevent IE from MIME-sniffing a response away from the declared content-type. See also: * http://msdn.microsoft.com/en-us/library/ie/gg622941 * http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx Beside IE 8+, this feature has been implemented in Chrome, and may soon come to Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=471020). Ref: #8.
alrra
added a commit
that referenced
this issue
Oct 31, 2013
For compatibility reasons (e.g.: legacy servers that serve all files as `text/plain`), IE 8+ has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, IE may report a MIME type different than the type speci- fied by the web server. For instance, if IE finds HTML content in a file delivered with the HTTP response header `Content-Type: text/plain`, it determines that the content should be rendered as HTML. Unfortunately, MIME-sniffing can also lead to security problems for servers hosting untrusted content. Fortunately, IE provides web apps with the ability to opt-out of MIME-sniffing by sending the `X-Content-Type-Options` response header with the value `nosniff`. This will prevent IE from MIME-sniffing a response away from the declared content-type. See also: * http://msdn.microsoft.com/en-us/library/ie/gg622941 * http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx Beside IE 8+, this feature has been implemented in Chrome, and may soon come to Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=471020). Ref: #8.
alrra
added a commit
that referenced
this issue
Nov 1, 2013
For compatibility reasons (e.g.: legacy servers that serve all files as `text/plain`), IE 8+ has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, IE may report a different MIME type than the type speci- fied by the web server. For instance, if IE finds HTML content in a file delivered with the HTTP response header `Content-Type: text/plain`, it determines that the content should be rendered as HTML. This can lead to security problems especially for servers hosting untrusted content. Fortunately, IE provides web apps with the ability to opt-out of MIME-sniffing by sending the `X-Content-Type-Options` response header with the value `nosniff`. Beside IE 8+, this feature has recently been implemented in Chrome, and may soon come to Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=471020. See also: * http://msdn.microsoft.com/en-us/library/ie/gg622941 * http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx Ref: #8.
alrra
added a commit
that referenced
this issue
Nov 1, 2013
Sending the `X-Frame-Options` header for everything by default, doesn't bring any value when it comes to providing clickjacking protection. Even if some developers may want to send this header for some other content (e.g.: images) to block other websites from using it, for the majority that won't be the case. Ref: #8 #9
alrra
added a commit
that referenced
this issue
Nov 2, 2013
Sending the `X-Frame-Options` header for everything by default, doesn't bring any value when it comes to providing clickjacking protection. Even if some developers may want to send this header for some other content (e.g.: images) to block other websites from using it, for the majority that won't be the case. Ref: #8 #9
alrra
added a commit
that referenced
this issue
Nov 4, 2013
Sending the `X-Frame-Options` header for everything by default, doesn't bring any value when it comes to providing clickjacking protection. Even if some developers may want to send this header for some other content (e.g. images) to block websites from using it, for the majority, that won't be the case. Ref: #8 #9
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
X-Content-Type-OptionsDone in: fa24f30
X-Frame-OptionsDone in: fa83e20, bf163ca, 6624819 & e6b77c6
X-XSS-ProtectionDone in: 74c8f1d & 00d3f63
More information: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
The text was updated successfully, but these errors were encountered: