← Back to team overview

mahara-contributors team mailing list archive

[Bug 1531987] [NEW] Review HTTP headers to improve security

 

*** This bug is a security vulnerability ***

Public security bug reported:

We need to review our HTTP headers to improve security and check which
ones we should include per default and which ones might need to be
configurable. The review will include but is not limited to:

- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Server
- X-Powered-By
- X-Permitted-Cross-Domain-Policies
- Caching headers

** Affects: mahara
     Importance: High
         Status: Confirmed

** Affects: mahara/1.10
     Importance: High
         Status: Confirmed

** Affects: mahara/15.04
     Importance: High
         Status: Confirmed

** Affects: mahara/15.10
     Importance: High
         Status: Confirmed


** Tags: security

** Also affects: mahara/1.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Changed in: mahara/1.10
       Status: New => Confirmed

** Changed in: mahara/15.04
       Status: New => Confirmed

** Changed in: mahara/15.10
       Status: New => Confirmed

** Changed in: mahara/1.10
   Importance: Undecided => High

** Changed in: mahara/15.04
   Importance: Undecided => High

** Changed in: mahara/15.10
   Importance: Undecided => High

** Changed in: mahara/1.10
    Milestone: None => 1.10.9

** Changed in: mahara/15.04
    Milestone: None => 15.04.6

** Changed in: mahara/15.10
    Milestone: None => 15.10.2

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1531987

Title:
  Review HTTP headers to improve security

Status in Mahara:
  Confirmed
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed

Bug description:
  We need to review our HTTP headers to improve security and check which
  ones we should include per default and which ones might need to be
  configurable. The review will include but is not limited to:

  - Strict-Transport-Security
  - Content-Security-Policy
  - X-Frame-Options
  - X-XSS-Protection
  - X-Content-Type-Options
  - Server
  - X-Powered-By
  - X-Permitted-Cross-Domain-Policies
  - Caching headers

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1531987/+subscriptions


Follow ups