From 3f32f0831942a7aa155a7d18a5a3fa0bfeca37bb Mon Sep 17 00:00:00 2001 From: NarlaSandeepNarlaSaibaba Date: Thu, 27 Jun 2019 13:25:54 -0500 Subject: [PATCH] =?UTF-8?q?Pentest-NC1.0=20Nova=E2=80=93Security=20HTTP=20?= =?UTF-8?q?Headers=20Not=20Present?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added new HTTP Security header Content-Security-Policy:self to make sure the browser does not allow any cross-site scripting attacks. Added new HTTP Security header X-Permitted-Cross-Domain-Policies:none To prevent web client to load data from the current domain. Added new HTTP Security header X-XSS-Protection:1 mode=block to sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page. Change-Id: Ief137738f4b793f49f3632e25339c6f49492fd80 --- ingress/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ingress/values.yaml b/ingress/values.yaml index 3346a766f..edb76e28f 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -150,6 +150,8 @@ network: nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-Frame-Options: deny"; + more_set_headers "X-Permitted-Cross-Domain-Policies: none"; + more_set_headers "Content-Security-Policy: script-src 'self'"; external_policy_local: false dependencies: