Actions
Improvements #13187
closedAllow custom headers to be configured in the config file
Start date:
11/06/2024
Due date:
% Done:
100%
Estimated time:
Description
Similar to head-matter and meta-headers there should be a headers section in the configuration.
These will define headers that will always be set by the application for each of its responses. By default they will:
- be as permissive as possible, if they affect functionality.
- be according to ASVS guidelines (see section
14.4: HTTP Security Headers), if they can be set as such without functionality being affected
Updated by Matthias Van Ceulebroeck 3 months ago
- Related to Bug #13042: Disallow content type sniffing added
Updated by Matthias Van Ceulebroeck 3 months ago
- Related to Bug #8156: X-Frame-Option=SAMEORIGIN doesn't let my application be visualized inside iframe added
Updated by Matthias Van Ceulebroeck 3 months ago
- Related to Improvements #6584: Make X-Frame-Options a configuration option added
Updated by Matthias Van Ceulebroeck 3 months ago
ASVS headers of importance are:
Content-TypeContent-DispositionContent Security Policy (CSP)X-Content-Type-Options(nosniff)Strict-Transport-Security(often set by proxy)Referrer-Policy
Only the first two are satisfied.
The last four should be added.
Updated by Romain Mardulyn 3 months ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
Updated by Romain Mardulyn 2 months ago
- Status changed from InProgress to Review
- Assignee deleted (
Romain Mardulyn)
Updated by Matthias Van Ceulebroeck 15 days ago
- Assignee set to Matthias Van Ceulebroeck
Updated by Matthias Van Ceulebroeck 7 days ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Matthias Van Ceulebroeck to Romain Mardulyn
- % Done changed from 0 to 100
Updated by Matthias Van Ceulebroeck 6 days ago
- Status changed from Implemented @Emweb to Implemented @Test
Updated by Matthias Van Ceulebroeck 6 days ago
- Status changed from Implemented @Test to Closed
Actions