-
Enhancement
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also X-Content-Type-Options header in a default configuration of the management too.
Benefit is slightly improved security for customers using Web Console management.
Current header provided:
curl -v http://localhost:9990/console/index.html
...
< HTTP/1.1 200 OK
< Connection: keep-alive
< Last-Modified: Wed, 29 May 2019 11:09:49 GMT
< X-Frame-Options: SAMEORIGIN
< Content-Length: 1289
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Mon, 03 Jun 2019 08:05:05 GMT
...
- relates to
-
WFCORE-4512 Add X-XSS-Protection header to default management config
- Open