Implementation of new security headers

[hvelarde]

I want to implement the new X-Content-Type-Options and X-XSS-Protection security headers for Plone 5.x but I don't know where I should add them.

In Plone 4.3 I did so in the main template (https://github.com/plone/Products.CMFPlone/pull/2479), but this doesn't seem right to me for Plone 5.x as similar headers seem to be implemented in 2 different places: plone.app.layout and plone.protect:

• plone.app.layout had a viewlet to include the now obsolete X-UA-Compatible header; this was recently removed in https://github.com/plone/plone.app.layout/pull/154
• plone.protect is the place where we include the X-Frame-Options security header https://github.com/plone/plone.protect/blob/4.0.1/plone/protect/auto.py#L146-L151

@plone/framework-team I need some guidance here.

[davisagli]

I'd go with plone.protect

[hvelarde]

some code needs to be added in plone.tiles as well:

https://github.com/plone/plone.tiles/blob/2.1/plone/tiles/esi.py#L178-L213