HTTP headers are included in every HTTP response from a web server. Setting the appropriate HTTP headers can reduce the risk of man-in-the-middle and cross-site-scripting attacks on a web application. You can also reduce information leaks about the web application configuration - vital data that gives a would-be attacker clues about potential vulnerabilities. Read on to find out how to set the appropriate headers in your Perl web application.
The following headers are set:
X-Frame-Options: protect site from being loaded into an frame or iframe (specs)
Strict-Transport-Security: requester to load all content via HTTPS
Content-Security-Policy: sets a whitelist of domains from which content can be safely loaded (specs)
X-Content-Type-Options: disable mime sniffing, disabled by default in IE but enforced anyway.
X-Download-Options: prevent IE from opening an HTML file directly
X-XSS-Protection: turn on its XSS filter
X-Webkit-CSP: iOS Safari 5.0-5.1
These two headers can be switched on optionally to support browsers not yet using the standard hearders.
For more information see also:
cd /path/to/foswiki perl tools/extension_installer <NameOfExtension> installIf you have any problems, or if the extension isn't available in
configure, then you can still install manually from the command-line. See https://foswiki.org/Support/ManuallyInstallingExtensions for more help.
|17 Oct 2018||more reasonable default settings|
|09 Sep 2016||added child-src policty in addition to the now deprected frame-src|
|08 Mar 2016||fixed xss protection|
|Release||17 Oct 2018|
|Description||Add HTTP security headers to protect against XSS attacks|
|Copyright||2015-2018 Michael Daum http://michaeldaumconsulting.com|
|License||GPL (GNU General Public License)|