--
You received this message because you are subscribed to the Google Groups "Trac Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+u...@googlegroups.com.
To post to this group, send email to trac...@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
Yes, I am running apache. And I have full access to my server. Others might not have full access to the apache config and are able to add headers or mod_headers is not activated.
That's why I think as much as possible of such headers should be
sent by trac.
Am 14.12.2017 um 21:03 schrieb Ryan Ollos:
--
On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <torge...@gmx.de> wrote:
Hi,
I've set up a trac via https using latest stable trac (1.2.2).
I've found a nice tool checking site configuration: https://observatory.mozilla.org/
Checking my trac installation I got a poor "D" rating.
Following is the list of tests failed resulting in a negative score:
Test Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Contribute.json -10 Contribute.json file cannot be parsed
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options -20 X-Frame-Options (XFO) header not implemented
X-XSS-Protection -10 X-XSS-Protection header not implemented
Since other sites hosted on my server get better ratings there must be a chance to fix this in the code. Another way is to add such headers to the apache config, but I'm not sure whether I am breaking something in trac and it's less flexible.
Is there a chance to improve the headers trac is sending? Can I help with whatever is helpful?
Regards
Torge
Some of all of this may be best addressed through your web server configuration. Are you running Apache?
- Ryan
You received this message because you are subscribed to the Google Groups "Trac Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscribe@googlegroups.com.
To post to this group, send email to trac...@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
Yes, I am running apache. And I have full access to my server. Others might not have full access to the apache config and are able to add headers or mod_headers is not activated.
That's why I think as much as possible of such headers should be sent by trac.
Is there a chance to get this in a Trac 1.2.3? I recommend setting the headers above in a default trac.ini created by trac-admin initenv.
--
You received this message because you are subscribed to the Google Groups "Trac Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+u...@googlegroups.com.
To post to this group, send email to trac...@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
Hi,
regarding secure cookies: Sorry, I missed that. Changed in my installation and the rating got better.
I will wait for 1.2.3 and will give feedback after deploy and
changing configurable headers.
Thanks for your efforts
Torge