Missing security related headers for static resources serving from the Presto UI #24271
Assignees
Labels
Comments
github-project-automation
bot
moved this to 🆕 Unprioritized
in Bugs and support requests
6 tasks
|
Here are the docs for these headers: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Missing the following security-related headers:
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
These attacks are used for everything from data theft to site defacement or distribution of
malware. CSP provides a set of standard HTTP headers that allow website owners to
declare approved sources of content that browsers should be allowed to load on that page
— covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable
objects such as Java applets, ActiveX, audio and video files.
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows
older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response
body, potentially causing the response body to be interpreted and displayed as a content
type other than the declared content type. Current (early 2014) and legacy versions of
Firefox will use the declared content type (if one is set), rather than performing MIME-
sniffing.
Your Environment
Expected Behavior
For those static resources, they should contain
Content-Security-PolicyandX-Content-Type-Optionsheaders in the responseCurrent Behavior
None of the headers exist in the responses of the static resources
Possible Solution
Add these two headers for the static resources.
The text was updated successfully, but these errors were encountered: