Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • fusiondirectory fusiondirectory
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 40
    • Issues 40
    • List
    • Boards
    • Service Desk
    • Milestones
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • fusiondirectoryfusiondirectory
  • fusiondirectoryfusiondirectory
  • Issues
  • #5842
Closed
Open
Issue created May 29, 2018 by bmortier@bmortierMaintainer

Security: Missing Security Headers

Description

It's best practice in web application security to set some headers that increase the security level of the application. Basically, the following headers should be set by default to increase the security of all deployments:

  • X-Frame-Options: deny: Prevents clickjacking attacks and other attack techniques against the application. More....
  • X-XSS-Protection: 1; mode=block: Increases the difficulty for exploitation of Cross Site Scripting attacks (XSS) in many browsers. More...
  • X-Content-Type-Options: nosniff: Indicate that the browser doesn't tries to deduce a content type different from the Content-Type header. More...

Furthermore recommended, but difficult to implement effectively:

  • Content-Security-Policy: Whitelist possible resources and restricts JavaScript usage. Correctly implemented, this increases the difficulty for exploitation of Cross-site scripting attacks. More...

Distribution Name and Version

Reproduced in admin.fusiondirectory.org.

FusionDirectory Version

1.2

PHP version used

Reproduced in admin.fusiondirectory.org.

Origin of php packages

Reproduced in admin.fusiondirectory.org.

Steps to Reproduce

  1. Open browsers developer tools (Ctrl-Shift-I in Firefox and Chrome)
  2. Choose the network tab of developer tools.
  3. Open the main page of a default FusionDirectory instance
  4. Check the response headers.

Expected behavior:

The security headers mentioned above are set.

Actual behavior:

No security headers are set.

Reproduces how often: 100%

Additional Information

See the OWASP Security Headers project page and Mozilla web security guide for more information on this topic.

Assignee
Assign to
Time tracking