Closed phavekes closed 4 hours ago
The link part could have "origin-when-cross-origin" for Referrer-Policy. Or if difficult to have two variants, use "origin-when-cross-origin" for the entire app. (Thijs Kinkhorst - Feb 5, 2020)
The front end does not seem to expose the mentioned headers.
HTTP/2 200 OK
date: Wed, 05 Feb 2020 15:54:00 GMT
server: Apache
last-modified: Tue, 19 Nov 2019 09:49:56 GMT
etag: "218-597affc913900-gzip"
accept-ranges: bytes
vary: Accept-Encoding
content-encoding: gzip
content-length: 350
content-type: text/html; charset=UTF-8
set-cookie: HTTPSERVERID=t07|XjrlG; path=/; HttpOnly; Secure; SameSite=None
cache-control: private
strict-transport-security: max-age=15768000
X-Firefox-Spdy: h2
``` (Thijs Kinkhorst - Feb 5, 2020)
HTTP/2 200 OK date: Wed, 05 Feb 2020 15:54:00 GMT server: Apache last-modified: Tue, 19 Nov 2019 09:49:56 GMT etag: "218-597affc913900-gzip" accept-ranges: bytes vary: Accept-Encoding content-encoding: gzip content-length: 350 content-type: text/html; charset=UTF-8 set-cookie: HTTPSERVERID=t07|XjrlG; path=/; HttpOnly; Secure; SameSite=None cache-control: private strict-transport-security: max-age=15768000 X-Firefox-Spdy: h2 (Thijs Kinkhorst - Feb 5, 2020)
Forgot to deploy. Now on test2. (Okke Harsta - Feb 6, 2020)
This issue is imported from pivotal - Originaly created at Feb 5, 2020 by Thijs Kinkhorst
As an admin interface, this should have an appropriate security headers to prevent exploits proactively: