Missing security headers #616

cedneve · 2023-02-05T15:17:50Z

As part of an external pentest, the following recommendation was formulated for Oxalis:

Configure the following HTTP headers:
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy
• Content-Security-Policy
• X-Frame-Options
• Strict-Transport-Security (for HTTPS only)

It seems those security headers are missing in the HTTP responses leading to a medium security issue.

Could you add those or do you wish that we propose a fix to be merged into Oxalis to fix this ?

dladlk · 2023-02-06T13:51:51Z

runekock · 2023-05-04T18:17:42Z

@cedneve
Those headers are for browsers. I don't think they accomplish anything in this context. If you disagree, please explain for each header why it is a good idea.

aaron-kumar · 2023-12-09T14:58:52Z

Things like "Strict-Transport-Security (for HTTPS only)" can be set it through Servlet container like Tomcat and e.g. through Cloudfront. Outside the scope of Oxalis.
Converting it to discussion, just in case you want to continue discussion...

aaron-kumar added the Under review Issues currently being reviewed label Dec 9, 2023

OxalisCommunity locked and limited conversation to collaborators Dec 9, 2023

aaron-kumar converted this issue into discussion #650 Dec 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

This issue was moved to a discussion.

Missing security headers #616

Missing security headers #616

cedneve commented Feb 5, 2023

dladlk commented Feb 6, 2023

runekock commented May 4, 2023

aaron-kumar commented Dec 9, 2023

This issue was moved to a discussion.

This issue was moved to a discussion.

Missing security headers #616

Missing security headers #616

Comments

cedneve commented Feb 5, 2023

dladlk commented Feb 6, 2023

runekock commented May 4, 2023

aaron-kumar commented Dec 9, 2023

This issue was moved to a discussion.