Enable X-Frame-Options for quality.mozilla.org

VERIFIED FIXED

Status

VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: dchan, Assigned: cturra)

Tracking

Details

(URL)

(Reporter)

Description

5 years ago
+++ This bug was initially created as a clone of Bug #879104 +++

XFO is not enabled. A setting of
X-Frame-Options: SAMEORIGIN

should be sufficient. DENY would be ideal but I'm not comfortable with that unless we know for sure we don't need framing on the site.
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: shyam → nmaul
(Assignee)

Comment 1

5 years ago
i have added this header to quality dev and stage to start testing this.

$ curl -I https://quality-dev.allizom.org
HTTP/1.1 401 Authorization Required
Server: Apache
X-Backend-Server: generic1.dev.webapp.phx1.mozilla.com
WWW-Authenticate: Basic realm="quality dev"
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Date: Thu, 06 Jun 2013 19:03:20 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Assignee: server-ops-webops → cturra
(Assignee)

Comment 2

5 years ago
my tests look good so i have pushed this header to prod. 

$ curl -I https://quality.mozilla.org
HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: generic1.webapp.phx1.mozilla.com
Vary: Accept-Encoding
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Date: Thu, 06 Jun 2013 19:28:30 GMT
X-Pingback: https://quality.mozilla.org/xmlrpc.php
Expires: Thu, 06 Jun 2013 19:28:30 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive
Set-Cookie: bp-message=deleted; expires=Wed, 06-Jun-2012 19:28:29 GMT; path=/
Set-Cookie: bp-message-type=deleted; expires=Wed, 06-Jun-2012 19:28:29 GMT; path=/
X-Frame-Options: SAMEORIGIN
X-Cache-Info: not cacheable; response specified max-age <= 0
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
verified fixed on https://quality.mozilla.org/
Status: RESOLVED → VERIFIED
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.