-
Notifications
You must be signed in to change notification settings - Fork 115
ATC not setting necessary security related HTTP headers #144
Comments
Hi there! We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created. The current status is as follows:
This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes. |
Got a link to something that documents these as standard and why? Those sound like they'd change user-facing behavior in particular ways ( |
Agreed that we shouldn't set the cache control headers for everyone, but X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff (not mentioned in the original request, but important) are useful and shouldn't impact user-facing behavior. There's a bit more info in the Mozilla Security Guidelines and @jmcarp is having a discussion about adding these headers to Grafana using https://github.com/unrolled/secure in grafana/grafana#6820 which may be a good solution for ATC as well. |
Hi all, this will be fixed and delivered as part of 2.7.1 5b04c1f...3d32529#diff-20bd1a6996c96469214da01b9a7aae78 |
In order to be in compliance with best practice security guidelines, ATC should set the following HTTP headers
X-XSS-Protection: 1; mode=block
cache-Control: no-cache, no-store, must-revalidate, private
pragma: no-cache
The text was updated successfully, but these errors were encountered: