Closed
Bug 1342128
Opened 7 years ago
Closed 7 years ago
[PulseGuardian] Set X-XSS-Protection, X-Content-Type-Options and X-Frame-Options headers
Categories
(Webtools :: Pulse, defect)
Webtools
Pulse
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: emorley, Unassigned)
References
Details
Lumping these together, since they are all pretty safe and will likely be implemented in the same way.
Will resolve the following HTTP Observatory results:
-10 X-XSS-Protection header not implemented
-20 X-Frame-Options (XFO) header not implemented
-5 X-Content-Type-Options header not implemented
The headers can either be set manually, or else by using something like:
https://github.com/twaldear/flask-secure-headers
More information on what the headers do:
https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection
https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options
https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options
|
Assignee | |
Comment 1•7 years ago
|
||
Ed, would you mind reviewing https://github.com/mozilla-services/pulseguardian/pull/28?
Flags: needinfo?(emorley)
|
Reporter | |
Comment 2•7 years ago
|
||
Done - looks good!
Assignee: nobody → mcote
Flags: needinfo?(emorley)
|
|
Assignee | |
Comment 3•7 years ago
|
||
Thanks! https://github.com/mozilla-services/pulseguardian/commit/04b5e6a3d452274ad3e7994b3d36c117cd54389f
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•