Missing security headers

Question

Missing security headers

cedneve opened this issue 2 years ago · 3 comments

As part of an external pentest, the following recommendation was formulated for Oxalis:

Configure the following HTTP headers:
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy
• Content-Security-Policy
• X-Frame-Options
• Strict-Transport-Security (for HTTPS only)

It seems those security headers are missing in the HTTP responses leading to a medium security issue.

Could you add those or do you wish that we propose a fix to be merged into Oxalis to fix this ?

Answer 1 · 2023-02-06T13:51:51.000Z

dladlk commented 2 years ago

Answer 2 · 2023-05-04T18:17:42.000Z

@cedneve
Those headers are for browsers. I don't think they accomplish anything in this context. If you disagree, please explain for each header why it is a good idea.

Answer 3 · 2023-12-09T14:58:52.000Z

Things like "Strict-Transport-Security (for HTTPS only)" can be set it through Servlet container like Tomcat and e.g. through Cloudfront. Outside the scope of Oxalis.
Converting it to discussion, just in case you want to continue discussion...