Missing Security Headers in CMS Events
Locked
Missing Security Headers in CMS Events
 
|
Hello All,
While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the response object. (Please see the 'rendervView' method of RequestHandler class.) But these security headers are missing in the pages rendered through CMS. (Please visit the CmsEvents class). These headers are very crucial for the security of the application as they help to prevent various security threats like cross-site scripting, cross-site request forgery, clickjacking etc. IMO, we should add these security headers in the response object prepared through the CMS also. WDYT? Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd. |
|
Hi Deepak,
Sounds good. Are these headers applied everywhere except CMS? If no then why not apply them everywhere? On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <[hidden email]> wrote: > Hello All, > > While rendering the view through the controller request we set the > important security headers like x-frame-options, strict-transport-security, > x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the > response object. (Please see the 'rendervView' method of RequestHandler > class.) But these security headers are missing in the pages rendered > through CMS. (Please visit the CmsEvents class). > > These headers are very crucial for the security of the application as they > help to prevent various security threats like cross-site scripting, > cross-site request forgery, clickjacking etc. > > IMO, we should add these security headers in the response object prepared > through the CMS also. WDYT? > > Thanks & Regards > -- > Deepak Nigam > HotWax Systems Pvt. Ltd. > |
Re: Missing Security Headers in CMS Events
|
|
They are put in in RequesHandler. There is a "Security header" block
Jacques Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : > Hi Deepak, > > Sounds good. Are these headers applied everywhere except CMS? If no then > why not apply them everywhere? > > > On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <[hidden email]> > wrote: > >> Hello All, >> >> While rendering the view through the controller request we set the >> important security headers like x-frame-options, strict-transport-security, >> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the >> response object. (Please see the 'rendervView' method of RequestHandler >> class.) But these security headers are missing in the pages rendered >> through CMS. (Please visit the CmsEvents class). >> >> These headers are very crucial for the security of the application as they >> help to prevent various security threats like cross-site scripting, >> cross-site request forgery, clickjacking etc. >> >> IMO, we should add these security headers in the response object prepared >> through the CMS also. WDYT? >> >> Thanks & Regards >> -- >> Deepak Nigam >> HotWax Systems Pvt. Ltd. >> |
Re: Missing Security Headers in CMS Events
|
|
In reply to this post by deepak nigam-2
Good catch Deepak,
A Jira fits Jacques Le 08/10/2018 à 07:02, Deepak Nigam a écrit : > Hello All, > > While rendering the view through the controller request we set the > important security headers like x-frame-options, strict-transport-security, > x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the > response object. (Please see the 'rendervView' method of RequestHandler > class.) But these security headers are missing in the pages rendered > through CMS. (Please visit the CmsEvents class). > > These headers are very crucial for the security of the application as they > help to prevent various security threats like cross-site scripting, > cross-site request forgery, clickjacking etc. > > IMO, we should add these security headers in the response object prepared > through the CMS also. WDYT? > > Thanks & Regards > -- > Deepak Nigam > HotWax Systems Pvt. Ltd. > |
Re: Missing Security Headers in CMS Events
|
|
In reply to this post by jleroux@apache.org
In RequestHandler they are added to the renderView method,
I think these should move to another place as if the controller uses any other type instead view these headers will not be added to the response. Also we can add a separate method in UtiHttp similar to setResponseBrowserProxyNoCache that will add these security headers. Thanks & Regards -- Deepak Dixit On Mon, Oct 8, 2018 at 1:43 PM, [hidden email] <[hidden email]> wrote: > They are put in in RequesHandler. There is a "Security header" block > > Jacques > > > > Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : > >> Hi Deepak, >> >> Sounds good. Are these headers applied everywhere except CMS? If no then >> why not apply them everywhere? >> >> >> On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <[hidden email]> >> wrote: >> >> Hello All, >>> >>> While rendering the view through the controller request we set the >>> important security headers like x-frame-options, >>> strict-transport-security, >>> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the >>> response object. (Please see the 'rendervView' method of RequestHandler >>> class.) But these security headers are missing in the pages rendered >>> through CMS. (Please visit the CmsEvents class). >>> >>> These headers are very crucial for the security of the application as >>> they >>> help to prevent various security threats like cross-site scripting, >>> cross-site request forgery, clickjacking etc. >>> >>> IMO, we should add these security headers in the response object prepared >>> through the CMS also. WDYT? >>> >>> Thanks & Regards >>> -- >>> Deepak Nigam >>> HotWax Systems Pvt. Ltd. >>> >>> |
Re: Missing Security Headers in CMS Events
|
|
Thank you, all.
Here is the Jira ticket <https://issues.apache.org/jira/browse/OFBIZ-10597> for the same. FYI, I have included cache related properties also in the Jira ticket. Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd. On Mon, Oct 8, 2018 at 1:53 PM Deepak Dixit <[hidden email]> wrote: > In RequestHandler they are added to the renderView method, > I think these should move to another place as if the controller uses > any other type instead view these headers will not be added to the > response. > > Also we can add a separate method in UtiHttp similar to > setResponseBrowserProxyNoCache that will add these security headers. > > Thanks & Regards > -- > Deepak Dixit > > > On Mon, Oct 8, 2018 at 1:43 PM, [hidden email] <[hidden email]> > wrote: > > > They are put in in RequesHandler. There is a "Security header" block > > > > Jacques > > > > > > > > Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : > > > >> Hi Deepak, > >> > >> Sounds good. Are these headers applied everywhere except CMS? If no then > >> why not apply them everywhere? > >> > >> > >> On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <[hidden email]> > >> wrote: > >> > >> Hello All, > >>> > >>> While rendering the view through the controller request we set the > >>> important security headers like x-frame-options, > >>> strict-transport-security, > >>> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in > the > >>> response object. (Please see the 'rendervView' method of RequestHandler > >>> class.) But these security headers are missing in the pages rendered > >>> through CMS. (Please visit the CmsEvents class). > >>> > >>> These headers are very crucial for the security of the application as > >>> they > >>> help to prevent various security threats like cross-site scripting, > >>> cross-site request forgery, clickjacking etc. > >>> > >>> IMO, we should add these security headers in the response object > prepared > >>> through the CMS also. WDYT? > >>> > >>> Thanks & Regards > >>> -- > >>> Deepak Nigam > >>> HotWax Systems Pvt. Ltd. > >>> > >>> > |
Re: Missing Security Headers in CMS Events
Administrator
|
In reply to this post by Deepak Dixit-4
+1
Jacques Le 08/10/2018 à 10:23, Deepak Dixit a écrit : > In RequestHandler they are added to the renderView method, > I think these should move to another place as if the controller uses > any other type instead view these headers will not be added to the response. > > Also we can add a separate method in UtiHttp similar to > setResponseBrowserProxyNoCache that will add these security headers. > > Thanks & Regards > -- > Deepak Dixit > > > On Mon, Oct 8, 2018 at 1:43 PM, [hidden email] <[hidden email]> > wrote: > >> They are put in in RequesHandler. There is a "Security header" block >> >> Jacques >> >> >> >> Le 08/10/2018 à 09:17, Taher Alkhateeb a écrit : >> >>> Hi Deepak, >>> >>> Sounds good. Are these headers applied everywhere except CMS? If no then >>> why not apply them everywhere? >>> >>> >>> On Mon, Oct 8, 2018, 9:03 AM Deepak Nigam <[hidden email]> >>> wrote: >>> >>> Hello All, >>>> While rendering the view through the controller request we set the >>>> important security headers like x-frame-options, >>>> strict-transport-security, >>>> x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the >>>> response object. (Please see the 'rendervView' method of RequestHandler >>>> class.) But these security headers are missing in the pages rendered >>>> through CMS. (Please visit the CmsEvents class). >>>> >>>> These headers are very crucial for the security of the application as >>>> they >>>> help to prevent various security threats like cross-site scripting, >>>> cross-site request forgery, clickjacking etc. >>>> >>>> IMO, we should add these security headers in the response object prepared >>>> through the CMS also. WDYT? >>>> >>>> Thanks & Regards >>>> -- >>>> Deepak Nigam >>>> HotWax Systems Pvt. Ltd. >>>> >>>> |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |