From 243f74f10d9d6098c046fdd6316aad6bcde2c331 Mon Sep 17 00:00:00 2001 From: NarlaSandeepNarlaSaibaba Date: Wed, 9 Oct 2019 14:45:18 -0500 Subject: [PATCH] =?UTF-8?q?Horizon=20=E2=80=93=20API=20Handling=20?= =?UTF-8?q?=E2=80=93=20HTTP=20Security=20Headers=20Not=20Present?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added new X-Content-Type-Options: nosniff header to make sure the browser does not try to detect a different Content-Type than what is actually sent (can lead to XSS) Added new Header and set X-Permitted-Cross-Domain-Policies: "none" Change-Id: I6f89ffb44ad805039c4074889a7c15fbef6fc95e --- horizon/values.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/horizon/values.yaml b/horizon/values.yaml index 0190050e8b..38d4aacf04 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -167,19 +167,17 @@ conf: # Require all denied # - # + #Security-Settings # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. # - #Header set X-Content-Type-Options: "nosniff" - - # + Header set X-Content-Type-Options: "nosniff" + Header set X-Permitted-Cross-Domain-Policies: "none" # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # - #Header set X-Frame-Options: "sameorigin" local_settings: config: # Use "True" and "False" as Titlecase strings with quotes, boolean