...
According to Wikipedia and Owasp, the only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
X-XSS-Protection
While working on a mean to introduce this in OFBiz I stumbled upon this exchange between Jacopo and Mark Thomas on the Tomcat users ML. I did not find any progress but I will ask Jacopo.
Set-Cookie
The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
...
OFBiz users can decide to change this parameter if they want
Those are related Jira issues:
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|