afterlogic / webmail-lite-8

Open-source webmail script for existing IMAP server
https://afterlogic.org/webmail-lite-8
GNU Affero General Public License v3.0
336 stars 72 forks source link

Security improvements by introducing Content Security Policy #48

Closed erikhubers closed 4 years ago

erikhubers commented 5 years ago

Hey there,

I noticed no CSP headers defined in Afterlogic WebMail Lite/Pro. Maybe it's a nice to provide some for additional security. I've also run the demo page through securityheaders.com, the score (D) isn't really top notch.

afterlogic-support commented 5 years ago

Thank you, I've notified the developers on this.

afterlogic-support commented 4 years ago

The feature is implemented in Afterlogic WebMail 8.5.1: https://afterlogic.com/docs/webmail-pro-8/security/content-security-policy