On Thursday, July 9, 2020 at 6:42:13 AM UTC-7, [email protected] wrote: > > Hi, in this days I'm acting pen-test on my web2py application, all tools > used report me that there're some "important" header are missing.. > In particular: > > - X-Frame-Options Header Not Set (15) > > prevents embedding the page in a frame (or iframe), as a preventative for click-jacking. Geeks-for-geeks says obsoleted by CSP
> > - [...] > - Incomplete or No Cache-control and Pragma HTTP Header Set (26) > > prevents caching the page. I am not sure what the security downside of caching the page is, unless there is privileged information like on a password reset page. > > - Server Leaks Information via "X-Powered-By" HTTP Response Header > Field(s) (50) > > revealing the type of server can tell the intruder which attacks might work > > - X-Content-Type-Options Header Missing (48) > > a nosniff setting rejects requests if there is a "style" MIME-type that isn't txt/css or a JavaScript type. (Geeks-for-geeks doesn't explain this well, in my opinion.) The real gurus can comment further. For more on security practices, you might look at OWASP's recommendations. <URL:https://owasp.org/> /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/93ad06e6-6a5d-4dfe-8246-2f0f27fe0190o%40googlegroups.com.
