[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15055499#comment-15055499 ]
Jacques Le Roux commented on OFBIZ-6766:
----------------------------------------
While working on a mean to introduce X-XSS-Protection in OFBiz I stumbled upon [this exchange between Jacopo and Mark Thomas about HttpHeaderSecurityFilter on the Tomcat users ML|
https://mail-archives.apache.org/mod_mbox/tomcat-users/201510.mbox/%3C561633E6.4030801@...%3E]. [~jacopoc] I did not find any progress, do you have something working on your side?
BTW AFAIK, unlike the <cookie-config> and <tracking-mode> <session-config> attributes (see OFBIZ-6655), the [HttpHeaderSecurityFilter|
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter] is Tomcat specific (started at 7.0.63). So I believe is nice to have but not sufficient. Though we are not providing means to use another app server, users could have their own ways and then I don't think HttpHeaderSecurityFilter would be used.
In the same spirit, I think we should also embed the [RestCsrfPreventionFilter|
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs] and maybe [CORS Filter|
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter] and even maybe others there (Expires Filter, etc.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
