[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058368#comment-15058368 ]
Forrest Rae commented on OFBIZ-6766:
------------------------------------
Jacques,
In the spirit of secure by default I'd like to throw my vote in for HttpHeaderSecurityFilter being enabled by default moving forward.
hstsEnabled is an absolute must, do this over the other two. A work around if you leverage the mod_ajpproxy setup of Apache server in front of Tomcat, there is a really awesome Apache config found in the Better Crypto Guide that enables HSTS here:
https://bettercrypto.orgblockContentTypeSniffingEnabled would really help in situations where file uploads are replayed back to another user's web browser to prevent arbitrary HTML and JavaScript being executed in the SAMEORIGIN. More info:
http://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacksClickjacking can be more severe than you think, and any counter measures you can provide would be great for users.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
