Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default security headers are a bit too strict #323

Open
g105b opened this issue Jul 25, 2019 · 1 comment
Open

Default security headers are a bit too strict #323

g105b opened this issue Jul 25, 2019 · 1 comment
Assignees
@g105b
Milestone
v3

Comments

@g105b
Copy link
Member

g105b commented Jul 25, 2019
edited
Loading

Makes it really difficult to include things like bootstrap
g105b added a commit that referenced this issue Jul 25, 2019
@g105b
Remove security headers - too strict
e0d5203 
for #323
@g105b
Copy link
Member Author

g105b commented Nov 27, 2019

Take a look here:

WebEngine/src/Lifecycle.php

Lines 128 to 131 in f9c5d8e

$response = $response->withHeader(
"Content-type",
$router->getContentType()
);

This can be extracted into a separate function for setting the necessary response headers. The current Content-type header can be set as it is here, along with any headers defined within config.default.ini:

WebEngine/config.default.ini

Line 22 in 86ff1ea

default_headers="X-Content-Type-Options: nosniff; X-Frame-Options: deny; Content-Security-Policy: default-src 'none'"

@g105b g105b self-assigned this May 10, 2020
@g105b g105b added this to the v3 milestone May 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@g105b g105b

Labels
None yet
Projects
None yet
Milestone
v3
Development

No branches or pull requests
1 participant
@g105b