GithubHelp home page GithubHelp logo

Comments (5)

cnelson avatar cnelson commented on June 24, 2024 2

Agreed that we shouldn't set the cache control headers for everyone, but X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff (not mentioned in the original request, but important) are useful and shouldn't impact user-facing behavior.

There's a bit more info in the Mozilla Security Guidelines and @jmcarp is having a discussion about adding these headers to Grafana using https://github.com/unrolled/secure in grafana/grafana#6820 which may be a good solution for ATC as well.

from atc.

chendrix avatar chendrix commented on June 24, 2024 1

Hi all, this will be fixed and delivered as part of 2.7.1 5b04c1f...3d32529#diff-20bd1a6996c96469214da01b9a7aae78

from atc.

concourse-bot avatar concourse-bot commented on June 24, 2024

Hi there!

We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.

The current status is as follows:

  • #135649613 ATC not setting necessary security related HTTP headers

This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.

from atc.

vito avatar vito commented on June 24, 2024

Got a link to something that documents these as standard and why? Those sound like they'd change user-facing behavior in particular ways (no-cache especially), and shouldn't just be added for the sake of it.

from atc.

jbarnicle avatar jbarnicle commented on June 24, 2024

@vito Our particular need stems from a certification requirement being place on our system by NIST. I understand that not everyone would want / need these headers set - so I would amend the issue to state that there should be a configuration point to add response headers.

from atc.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.