Open edevosc2c opened 6 months ago
The gateway is removing all the sec- headers before passing them to the final application: https://github.com/georchestra/georchestra-gateway/blob/main/gateway/src/main/java/org/georchestra/gateway/filter/headers/RemoveSecurityHeadersGatewayFilterFactory.java#L50
This may not be desired because there are many official sec- headers useful for the applications, here is a list from MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest
sec-
I think we should modify the regex and whitelist the official sec- headers.
The gateway is removing all the sec- headers before passing them to the final application: https://github.com/georchestra/georchestra-gateway/blob/main/gateway/src/main/java/org/georchestra/gateway/filter/headers/RemoveSecurityHeadersGatewayFilterFactory.java#L50
This may not be desired because there are many official
sec-headers useful for the applications, here is a list from MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-DestI think we should modify the regex and whitelist the official
sec-headers.