Open mkrusche opened 6 years ago
The ZAP scanner detected the following Web server configuration issues:
X-Frame-Options Header Not Set (enabling click jacking by allowing a page to be rendered in a , , or ) Web Browser XSS Protection Not Enabled (disabling the cross-site scripting filter built into most/all modern Web browsers) X-Content-Type-Options Header Missing (enabling drive-by downloads and content being treated as a different content type) Cookie Without Secure Flag (enabling cookies to be transmitted without encryption) Cookie No HttpOnly Flag (exposing cookies to access by possibly nefarious JavaScript code) For Apache, these may be managed by starting with and appropriately customizing the Apache configuration found in the CRC Best Practices wiki at:
https://redmine.crc.nd.edu/redmine/projects/bestpractice/wiki/General_Security_Approach#Suggested-General-Apache-Configuration For additional detail on these findings, please review the ZAP reports at:
https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/CyberEye-NJ/2018/ZAP_CyberEye-NJ_2-21-18.html NOTE: the priority for this Redmine issue is set to "High" as a result of the "X-Frame-Options Header Not Set" finding. The remainder of the findings are each "Low" in priority. For convenience and ease of addressing these findings, however, they are all lumped together.
https://redmine.crc.nd.edu/redmine/issues/9585
The ZAP scanner detected the following Web server configuration issues:
X-Frame-Options Header Not Set (enabling click jacking by allowing a page to be rendered in a ,
https://redmine.crc.nd.edu/redmine/projects/bestpractice/wiki/General_Security_Approach#Suggested-General-Apache-Configuration For additional detail on these findings, please review the ZAP reports at:
https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/CyberEye-NJ/2018/ZAP_CyberEye-NJ_2-21-18.html NOTE: the priority for this Redmine issue is set to "High" as a result of the "X-Frame-Options Header Not Set" finding. The remainder of the findings are each "Low" in priority. For convenience and ease of addressing these findings, however, they are all lumped together.
https://redmine.crc.nd.edu/redmine/issues/9585