-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
window.opener exploitable & security headers missing? #29
Labels
T-bug
Type: Bug
Comments
|
remexre
added
T-bug
Type: Bug
C-meta
"Component": Metabug or Tracking Issue
and removed
C-meta
"Component": Metabug or Tracking Issue
labels
Nov 1, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If I were you, I'd add
rel="noopener noreferrer"
to links to external urls so people can't exploitwindow.opener
. Not very serious, but worth doing. Read moreI know, I know. Everybody hates when others tell them they are missing security headers. Is there any reason why the
X-XSS-Protection
header is not set? There are a few others I'd add too, but these depend on how the site is set up:Strict-Transport-Security
: Require use of HTTPSContent-Security-Policy
: Mitigates some XSS attacksPublic-Key-Pins
: Prevents MiTM attacks using rouge X.509 certs if the CA is compromisedX-Frame-Options
: Stops clickjacking attacksX-Content-Type-Options
: Stops browser from MIME-sniffingThe text was updated successfully, but these errors were encountered: