Versions Compared

Old Version 18

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 19

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: X-XSS-Protection done

The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh

 

You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers 

Here is the state we had (2015-12-12):

...

According to Wikipedia and Owasp, the only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. Not Firefox yet.

X-XSS-Protection

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
FireFox has still an open bug entry and "offers" only the noscript plugin.
https://wiki.mozilla.org/Security/Features/XSS_Filter
https://bugzilla.mozilla.org/show_bug.cgi?id=528661

While working on a mean to introduce this in OFBiz I stumbled upon this exchange between Jacopo and Mark Thomas about HttpHeaderSecurityFilter on the Tomcat users ML. I did not find any progress but I will ask JacopoSee my conclusion here.

The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.

...