[OFBIZ-10597] Missing Security and Cache Headers in CMS Events - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Release Branch 16.11, Release Branch 17.12, Trunk
Fix Version/s: 16.11.06, 17.12.01
Component/s: cmssite, securityext
Labels:
None

Description

While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the response object. (Please see the 'rendervView' method of RequestHandler class.)

In the similar line, we set the cache related headers like Expires, Last-Modified, Cache-Control, Pragma.

But these security headers are missing in the pages rendered through CMS. (Please visit the CmsEvents class).

These headers are very crucial for the security of the application as they help to prevent various security threats like cross-site scripting, cross-site request forgery, clickjacking etc.

IMO, we should add these security headers in the response object prepared through the CMS also. WDYT?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-10597.diff
21/Oct/18 09:01
9 kB
Jacques Le Roux
OFBiz-10597.patch
08/Oct/18 12:11
6 kB
Deepak Nigam

Activity

People

Assignee:: Deepak Nigam

Reporter:: Deepak Nigam

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Oct/18 08:35

Updated:: 15/Nov/18 10:51

Resolved:: 01/Nov/18 09:44