You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2018/05/23 20:49:00 UTC

[jira] [Comment Edited] (OFBIZ-6766) Secure HTTP headers

    [ https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16480660#comment-16480660 ] 

Jacques Le Roux edited comment on OFBIZ-6766 at 5/23/18 8:48 PM:
-----------------------------------------------------------------

Reading 
 [https://www.fastly.com/blog/headers-we-dont-want] 
 and then checking at [https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Cache-Control]
 [https://stackoverflow.com/questions/34663916/are-cache-control-pre-check-and-post-check-headers-still-supported-by-ie]
 [https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/]

I see that we can update our headers:
 * Expires: Fastly recommends to remove but Mozilla is more conservative: keeping
 * Pragma: same
 * Cache-Control: same + adding private
 * Cache-Control post-check and pre-check: according to Stackoverflow and especially Microsoft, removing
 * x-frame-options: see my comment in user ML at [https://markmail.org/message/hcw7du22vqcbe4oo] TL;DR better to use a CSP policy
 * x-ua-compatible: it's only in html files. I think it's more history and cargo cult, but I'll though ask on dev ML
 * others: we are not concerned :)

I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about x-ua-compatible on dev ML before committing


was (Author: jacques.le.roux):
Reading 
https://www.fastly.com/blog/headers-we-dont-want 
and then checking at https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Cache-Control
https://stackoverflow.com/questions/34663916/are-cache-control-pre-check-and-post-check-headers-still-supported-by-ie
https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/

I see that we can update our headers:
* Expires: Fastly recommends to remove but Mozilla is more concervative: keeping
* Pragma: same
* Cache-Control: same + adding private
* Cache-Control post-check and pre-check: according to Stackoverflow and especially Microsoft, removing
* x-frame-options: see my comment in user ML at https://markmail.org/message/hcw7du22vqcbe4oo TL;DR better to use a CSP policy
* x-ua-compatible: it's only in html files. I think it's more history and cargo cult, but I'll though ask on dev ML
* others: we are not concerned :)

I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about x-ua-compatible on dev ML before committing

> Secure HTTP headers
> -------------------
>
>                 Key: OFBIZ-6766
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6766
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01
>
>         Attachments: OFBIZ-6766-UtilHttp.java.patch
>
>
> I have created a wiki page for this https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)