Comments (5)
Agreed that we shouldn't set the cache control headers for everyone, but X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff (not mentioned in the original request, but important) are useful and shouldn't impact user-facing behavior.
There's a bit more info in the Mozilla Security Guidelines and @jmcarp is having a discussion about adding these headers to Grafana using https://github.com/unrolled/secure in grafana/grafana#6820 which may be a good solution for ATC as well.
from atc.
Hi all, this will be fixed and delivered as part of 2.7.1 5b04c1f...3d32529#diff-20bd1a6996c96469214da01b9a7aae78
from atc.
Hi there!
We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.
The current status is as follows:
- #135649613 ATC not setting necessary security related HTTP headers
This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.
from atc.
Got a link to something that documents these as standard and why? Those sound like they'd change user-facing behavior in particular ways (no-cache
especially), and shouldn't just be added for the sake of it.
from atc.
@vito Our particular need stems from a certification requirement being place on our system by NIST. I understand that not everyone would want / need these headers set - so I would amend the issue to state that there should be a configuration point to add response headers.
from atc.
Related Issues (20)
- is there support for custom base url path? HOT 4
- favicon retains green/red color after navigating back to pipeline in chrome HOT 2
- If the ATC crashes some locking might not get released HOT 12
- Input and output paths cannot be absolute HOT 2
- Usage of resource not detected HOT 3
- UI using Windows (Chrome/Firefox) doesn't load job results. HOT 4
- Default pipeline view should show all jobs when using groups HOT 4
- Job history refresh is very annoying and dates are wrong HOT 2
- Add X-Accel-Buffering header to SSE endpoints HOT 1
- ATC web ui no showing job information HOT 4
- Dragging the view around for a pipeline always goes to the job the drag started on HOT 2
- Error saying no workers satisfying: resource type 'docker-image', platform 'linux' HOT 2
- Building pulsing is buggy on concourse 2.5.1 HOT 6
- Legend doesn't render properly at some browser zoom levels HOT 1
- job name shouldn't be tied to the job history HOT 2
- Feature request: base path in CONCOURSE_EXTERNAL_URL HOT 1
- As a user I would like to run a task from the pipeline view HOT 2
- ATC Should have a healthcheck endpoint attached to it HOT 2
- Long resource versions cannot be saved into the database HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from atc.