Response Header

[lfatty]

For best practices, we need to add X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff on the response header. By the way, this is NOT a critical issue but it should be taken care off.

HTTP/1.1 200 OK
Expires: Wed, 22 Jul 2015 14:36:46 GMT
Content-Type: application/json
Server: Apache
Allow: OPTIONS, GET
Cache-Control: max-age=1800
Last-Modified: Wed, 22 Jul 2015 14:06:46 GMT
Content-Length: 107
Date: Wed, 22 Jul 2015 14:06:46 GMT
Connection: keep-alive

{"timestamp": "2015-07-21T04:00:00Z", "data": {"4.375": 5, "4.230": 2, "4.500": 2, "4.250": 5, "4.125": 6}}

[stephanieosan]

This sprint we prioritized a security fix we described as "x-frame header". @virginiacc Is that the same as this? (If so, we're on it and it should happen in the next two weeks, @lfatty!)

[lfatty]

@stephanieosan
No they are different. X-XSS-Protection: 1; mode=block will enable the browser's inbuilt Anti-XSS filter. X-Content-Type-Options: nosniff will prevents the browser from doing MIME- type sniffing.

[fna]

@lfatty since these options need to be added to all pages of cf.gov, won't it make sense to make it at server level and not at a particular module level?

[lfatty]

@stephanieosan
Yes indeed it should be at the sever level so that all pages have those headers. Again it is not critical but I just want to get you guys attention. I need to find out the contact person for implementing the headers on site wide.