Open joseph-reynolds opened 5 years ago
The REST API HTTP responses are missing some security headers. This should be done even for JSON data per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
For example, https GET /${bmc}/xyz/openbmc_project/network/enumerate returns JSON data with HTTP response headers that do not include:
GET /${bmc}/xyz/openbmc_project/network/enumerate
The fix is to add these headers to the HTTP response.
The REST API HTTP responses are missing some security headers. This should be done even for JSON data per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
For example, https
GET /${bmc}/xyz/openbmc_project/network/enumeratereturns JSON data with HTTP response headers that do not include:The fix is to add these headers to the HTTP response.