It was found that the frontend and backend websites fail to deploy HTTP Security headers. This unnecessarily exposes CiviCDR users to Clickjacking, XSS, TLS channel downgrade attacks and other similar client-side attacks. The issue can be replicated as one navigates to the website and backend URLs provided next. Note to observe the returned HTTP headers.
It is recommended to change the above header composition to something like the following. Please note that fixing the headers on the amazonaws.com subdomain will require employing a web server other than Amazon S3 since the S3 does not allow custom HTTP headers.
It was found that the frontend and backend websites fail to deploy HTTP Security headers. This unnecessarily exposes CiviCDR users to Clickjacking, XSS, TLS channel downgrade attacks and other similar client-side attacks. The issue can be replicated as one navigates to the website and backend URLs provided next. Note to observe the returned HTTP headers.
It is recommended to change the above header composition to something like the following. Please note that fixing the headers on the amazonaws.com subdomain will require employing a web server other than Amazon S3 since the S3 does not allow custom HTTP headers.