Missing HTTP security headers

[1mgtheboss]

Describe the bug There are missing http security headers on, https://challenges.topcoder-dev.com .

To Reproduce / Actual Behavior Steps to reproduce the behavior:

1. Go to 'https://challenges.topcoder-dev.com'.
2. The page has missing http security headers, X-Frame-Options, X-XSS-Protection, Strict-Transport-Security, & X-Content-Type-Options.

Expected behavior The page should not have missing http security headers.

Screenshots Not applicable

Desktop:

• OS: Windows 7 professional 32 bit
• Browser: Google chrome version 81.0.4044.138 (official build) (32-bit)

Additional context The vulnerability has been found through pentest-tools.com website vulnerability scanner.

[jmgasper]

@rootelement - We should probably fix this, but wanted to check if there are strict Topcoder platform requirements here.

[rootelement]

There's no standard. Use your best judgement please.

[acshields]

@vikasrohit - I don't understand the "what's needed" with this one, I just didn't want to lose track of it because it was flagged as security. What is the question on this one, so I can help to get the right inputs?

[vikasrohit]

@acshields I am not sure about this as well. We need expert advice from @rootelement

[vikasrohit]

@acshields lets move it to some future release, as I don't have much idea about this one and we need help from @rootelement for it.

[acshields]

@vikasrohit - noted. I will add it to January for now.

[vikasrohit]

@mtwomey I think we need your expertise here to close down this one. I observed that Projects App return some of the required headers but Work Manager does not. My doubt is that it is either CloudFront or S3 which is adding these headers, however, I am not able to find out where exactly that configuration is being done for Projects app. The difference between Projects App and Work Manager is that Projects App is served from S3 origin while WM is served via ELB origin.

[RishiRajSahu]

@mtwomey should we enable permissive CSP here too ?