Update: HTTP_Headers_Cheat_Sheet #1401
Labels
ACK_OBTAINED
Issue acknowledged from core team so work can be done to fix it.
HELP_WANTED
Issue for which help is wanted to do the job.
UPDATE_CS
Issue about the update/refactoring of a existing cheat sheet.
What is missing or needs to be updated?
Some security headers such as
Content-Security-Policy
are (as far as I can tell) relevant on all HTML pages, including error pages. But the recommended configuration for Apache or nginx only sets headers on successful responses (2xx or 3xx).See the Apache docs on
Header set
:And the nginx docs on
add_header
:Example of how that could be problematic: A site that shows user generated content has an XSS vulnerability in their app code, but it doesn't take effect because the server admin configured a strong CSP using the recommended Apache/nginx configuration. However, the CSP is not sent on 404 pages. If the app adds a feature to show content on 404 pages (ie. "What you're looking for doesn't exist, but check out this instead"), the XSS vulnerability could now be exploited.
How should this be resolved?
Add
always
to the recommended configuration for Apache and nginx, or add an explanation that the default is to only set headers on success responses.Apache:
nginx:
The text was updated successfully, but these errors were encountered: