dladlk
commented
1 year ago 
Closed cedneve closed 7 months ago
dladlk
commented
1 year ago
runekock
commented
1 year ago @cedneve Those headers are for browsers. I don't think they accomplish anything in this context. If you disagree, please explain for each header why it is a good idea.
aaron-kumar
commented
7 months ago Things like "Strict-Transport-Security (for HTTPS only)" can be set it through Servlet container like Tomcat and e.g. through Cloudfront. Outside the scope of Oxalis. Converting it to discussion, just in case you want to continue discussion...
As part of an external pentest, the following recommendation was formulated for Oxalis:
Configure the following HTTP headers: • X-Content-Type-Options • Referrer-Policy • Permissions-Policy • Content-Security-Policy • X-Frame-Options • Strict-Transport-Security (for HTTPS only)
It seems those security headers are missing in the HTTP responses leading to a medium security issue.
Could you add those or do you wish that we propose a fix to be merged into Oxalis to fix this ?