Horizon – API Handling – HTTP Security Headers Not Present

Added new X-Content-Type-Options: nosniff header to make sure the browser does not try to detect a different Content-Type than what is actually sent (can lead to XSS) Added new Header and set X-Permitted-Cross-Domain-Policies: "none" Change-Id: I6f89ffb44ad805039c4074889a7c15fbef6fc95e
2019-10-09 14:45:18 -05:00 · 2019-10-09 14:45:18 -05:00 · 243f74f10d
commit 243f74f10d
parent 6e4ab4aa0c
1 changed files with 3 additions and 5 deletions
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -167,19 +167,17 @@ conf:
      #   Require all denied
      #</DirectoryMatch>

-      #
+      #Security-Settings
      # Setting this header will prevent MSIE from interpreting files as something
      # else than declared by the content type in the HTTP headers.
      # Requires mod_headers to be enabled.
      #
-      #Header set X-Content-Type-Options: "nosniff"
-
-      #
+      Header set X-Content-Type-Options: "nosniff"
+      Header set X-Permitted-Cross-Domain-Policies: "none"
      # Setting this header will prevent other sites from embedding pages from this
      # site as frames. This defends against clickjacking attacks.
      # Requires mod_headers to be enabled.
      #
-      #Header set X-Frame-Options: "sameorigin"
    local_settings:
      config:
        # Use "True" and "False" as Titlecase strings with quotes, boolean