Open mkrusche opened 6 years ago
The ZAP scanner detected the following Web server configuration issues:
X-Frame-Options Header Not Set (enabling click jacking by allowing a page to be rendered in a , , or <object>) Web Browser XSS Protection Not Enabled (disabling the cross-site scripting filter built into most/all modern Web browsers) X-Content-Type-Options Header Missing (enabling drive-by downloads and content being treated as a different content type) Cookie Without Secure Flag (enabling cookies to be transmitted without encryption) Cookie No HttpOnly Flag (exposing cookies to access by possibly nefarious JavaScript code) For Apache, these may be managed by starting with and appropriately customizing the Apache configuration found in the CRC Best Practices wiki at:</p> <p><a rel="noreferrer nofollow" target="_blank" href="https://redmine.crc.nd.edu/redmine/projects/bestpractice/wiki/General_Security_Approach#Suggested-General-Apache-Configuration">https://redmine.crc.nd.edu/redmine/projects/bestpractice/wiki/General_Security_Approach#Suggested-General-Apache-Configuration</a> For additional detail on these findings, please review the ZAP reports at:</p> <p><a rel="noreferrer nofollow" target="_blank" href="https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/CyberEye-NJ/2018/ZAP_CyberEye-NJ_2-21-18.html">https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/CyberEye-NJ/2018/ZAP_CyberEye-NJ_2-21-18.html</a> NOTE: the priority for this Redmine issue is set to "High" as a result of the "X-Frame-Options Header Not Set" finding. The remainder of the findings are each "Low" in priority. For convenience and ease of addressing these findings, however, they are all lumped together.</p> <p><a rel="noreferrer nofollow" target="_blank" href="https://redmine.crc.nd.edu/redmine/issues/9585">https://redmine.crc.nd.edu/redmine/issues/9585</a></p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>
The ZAP scanner detected the following Web server configuration issues:
X-Frame-Options Header Not Set (enabling click jacking by allowing a page to be rendered in a ,