Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13982

set security-related http response headers by default

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 8.4
    • None
    • None

    Description

      Solr server should set some best practice http security response headers, to e.g. protect users of the admin ui against XSS/injection/clickjacking/etc

      • Content-Security-Policy
      • X-Content-Type-Options
      • X-XSS-Protection
      • X-Frame-Options

      Disabling inline javascript is important, so that e.g. if there is a bug then injected code doesn't get executed. Unfortunately the current admin UI dangerously relies on eval, so for now unsafe-eval must be allowed so that everything still works. This should really be cleaned up, i have the feeling as long as it works this way, that you can still execute stuff.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rcmuir Robert Muir
            rcmuir Robert Muir
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment