Add new default headers X-Frame-Options, X-Content-Type-Options and X-XSS-Protection to protect request agains security attacks

appserver-io / webserver

Multithreaded webserver for php written in php

45 stars 14 forks source link

Add new default headers X-Frame-Options, X-Content-Type-Options and X-XSS-Protection to protect request agains security attacks #169

Closed wagnert closed 8 years ago

appserver-ci commented 8 years ago

The appserver-ci build passed

2case commented 8 years ago

Great... :( ... and how can i disable or change the x-frame-options??? Where is the documentation for this?

wagnert commented 8 years ago

@2case Have a look at http://appserver.io/get-started/documentation/1.1/webserver.html#headers, there is described, how you can override the value of the X-Frame-Options header :)

2case commented 8 years ago

Cool, thanks. Didn't found it by my own search and the new default value break neos on asset assignment. It will also break the reworked ui - as far as i heard - since the new one will based on iframes.

wagnert commented 8 years ago

You're welcome :)

2case commented 8 years ago

Works perfect in the appserver.xml configuration file (added in case someone else look for this)

<headers>
    <header type="response" name="X-Frame-Options" value="SAMEORIGIN" override="true"/>
</headers>