TeamMentor / TM_4_0_Design

Repo Holds TM 4.x issues
4 stars 3 forks source link

No Security related headers are set #1120

Open romichg opened 8 years ago

romichg commented 8 years ago

As @craSH points out "I checked the current one and it doesn't appear to have explicit Clickjacking prevention via X-Frame-Options headers (or any of the security headers, woups)"

We should set appropriate security headers. https://securityheaders.io/?q=https%3A%2F%2Fteammentor.net%2Fangular%2Fguest%2Flogin&hide=on

craSH commented 8 years ago

Is this something that can make it back to current and previous versions as well? At least for some of the headers, they can be easily added to the web server configuration without needing to be application-specific (like CSP would need).

romichg commented 8 years ago

We should be able to fix it for 4.0 and 3.6 versions. I don't know about anything older then that.