Add headers suggested by HTTP Observatory

XMLWordPrintable

    • Critical
    • Hide
      ⚠️ Security Header Changes (Content Security Policy & Framing Restrictions)

      We have introduced stricter security headers, including a Content Security Policy (CSP) and optional frame restrictions.

      These changes may impact:
      - Integration of external JavaScript, styles, or APIs not explicitly whitelisted
      - Single Sign-On (SSO) setups relying on external resources
      - Embedding the application in iframes on other domains
      - Use of third-party widgets or HTML snippets

      If you are using custom integrations or embedding the application, please verify compatibility and update your configuration (e.g., CSP whitelists) accordingly.
      Show
      ⚠️ Security Header Changes (Content Security Policy & Framing Restrictions) We have introduced stricter security headers, including a Content Security Policy (CSP) and optional frame restrictions. These changes may impact: - Integration of external JavaScript, styles, or APIs not explicitly whitelisted - Single Sign-On (SSO) setups relying on external resources - Embedding the application in iframes on other domains - Use of third-party widgets or HTML snippets If you are using custom integrations or embedding the application, please verify compatibility and update your configuration (e.g., CSP whitelists) accordingly.
    • Hide
      Some new headers were added for security reasons.
      Content-Security-Policy and X-Frame-Options may influence how the application works if you have custom scripts or styles loaded from different source or you load translate5 in <iframe> or <embed>
      To make headers be configurable we added the following config values, which can be added to installation.ini:
      runtimeOptions.headers.enableXFrameHeader
      runtimeOptions.headers.defaultSrcUrls
      runtimeOptions.headers.scriptSrcUrls
      runtimeOptions.headers.connectSrcUrls
      runtimeOptions.headers.styleSrcUrls
      runtimeOptions.headers.imgSrcUrls
      runtimeOptions.headers.fontSrcUrls

      Please check the reference in the application.ini file
      Show
      Some new headers were added for security reasons. Content-Security-Policy and X-Frame-Options may influence how the application works if you have custom scripts or styles loaded from different source or you load translate5 in <iframe> or <embed> To make headers be configurable we added the following config values, which can be added to installation.ini: runtimeOptions.headers.enableXFrameHeader runtimeOptions.headers.defaultSrcUrls runtimeOptions.headers.scriptSrcUrls runtimeOptions.headers.connectSrcUrls runtimeOptions.headers.styleSrcUrls runtimeOptions.headers.imgSrcUrls runtimeOptions.headers.fontSrcUrls Please check the reference in the application.ini file

      Need to add headers required by https://developer.mozilla.org/en-US/observatory/analyze for improving secutiry.

            Assignee:
            Leon Kiz
            Reporter:
            Leon Kiz
            Thomas Lauria
            Stephan Bergmann, Sylvia Schumacher
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: