Actions
Improvements #13187
openAllow custom headers to be configured in the config file
Start date:
11/06/2024
Due date:
% Done:
0%
Estimated time:
Description
Similar to head-matter and meta-headers there should be a headers section in the configuration.
These will define headers that will always be set by the application for each of its responses. By default they will:
- be as permissive as possible, if they affect functionality.
- be according to ASVS guidelines (see section
14.4: HTTP Security Headers), if they can be set as such without functionality being affected
Updated by Matthias Van Ceulebroeck 11 days ago
- Related to Bug #13042: Disallow content type sniffing added
Updated by Matthias Van Ceulebroeck 11 days ago
- Related to Bug #8156: X-Frame-Option=SAMEORIGIN doesn't let my application be visualized inside iframe added
Updated by Matthias Van Ceulebroeck 11 days ago
- Related to Improvements #6584: Make X-Frame-Options a configuration option added
Updated by Matthias Van Ceulebroeck 11 days ago
ASVS headers of importance are:
Content-TypeContent-DispositionContent Security Policy (CSP)X-Content-Type-Options(nosniff)Strict-Transport-Security(often set by proxy)Referrer-Policy
Only the first two are satisfied.
The last four should be added.
Updated by Romain Mardulyn 10 days ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
Actions