Hi
We installed Openfire at a customer which does vulnerability scanning. They came back with a.o. the following:
the absence of the following HTTP headers (OWASP Secure Headers Project | OWASP Foundation) according to CWE-693: Protection Mechanism Failure (CWE - CWE-693: Protection Mechanism Failure (4.15)):
X-Content-Type-Options: This HTTP header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header.
Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
These should be set as follows:
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=< [;includeSubDomains]
Can I apply a configuration on the openfire webserver so that this is solved?
Thanks
Mark