THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!

Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

How to Secure HTTP Headers

Created by Jacques Le Roux, last modified on Dec 12, 2015

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh

You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Here is the state we had (2015-12-12):

Here are some links for each header:

Global reference notably are

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

X-Frame-Options

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types

https://www.owasp.org/index.php/Clickjacking

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options (interesting for devops, tells about Apache, Nginx and HAProxy)

Strict-Transport-Security

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html (for devops)

About preload if you really care: https://hstspreload.appspot.com/

No labels