[
https://issues.apache.org/jira/browse/OFBIZ-10597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16641597#comment-16641597 ]
Jacques Le Roux commented on OFBIZ-10597:
-----------------------------------------
A discussion started there:
https://markmail.org/message/rubkdyhgr3feykul. I agree with Deepak Dixit there:
{quote}
In RequestHandler they are added to the renderView method,
I think these should move to another place as if the controller uses
any other type instead view these headers will not be added to the response.
Also we can add a separate method in UtiHttp similar to
setResponseBrowserProxyNoCache that will add these security headers.
{quote}
> Missing Security and Cache Headers in CMS Events
> ------------------------------------------------
>
> Key: OFBIZ-10597
> URL:
https://issues.apache.org/jira/browse/OFBIZ-10597> Project: OFBiz
> Issue Type: Improvement
> Components: cmssite, securityext
> Affects Versions: Trunk
> Reporter: Deepak Nigam
> Assignee: Deepak Nigam
> Priority: Major
>
> While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the response object. (Please see the 'rendervView' method of RequestHandler class.)
>
> In the similar line, we set the cache related headers like Expires, Last-Modified, Cache-Control, Pragma.
>
> But these security headers are missing in the pages rendered through CMS. (Please visit the CmsEvents class).
>
> These headers are very crucial for the security of the application as they help to prevent various security threats like cross-site scripting, cross-site request forgery, clickjacking etc.
>
> IMO, we should add these security headers in the response object prepared through the CMS also. WDYT?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
