Skip to Main Content
Cumulocity IoT Feedback Portal
Status Unlikely to support
Created by Guest
Created on Dec 23, 2019

Missing security HTTP header - Security Risk


The Web server is not configured to return all security HTTP headers. These headers and their
recommended configuration are presented in the attachment

Usage of recommended security HTTP headers helps to reduce the risks associated with several security
flaws (e.g. information leaks, Cross-Site Scripting, « man-in-the-middle », etc.). It is important to mention
that these HTTP headers are supported by most Web browsers.
Depending on the type of technology used, it is possible to add these headers by modifying the application
code or changing the configuration of the Web server or development platform. Further verification will
be necessary to properly address this vulnerability.

 Geek Flare - How to Implement Security HTTP Headers to Prevent Vulnerabilities

    Jan 15, 2020

    Dear Shaine, thanks a lot for the feedback. We took a deliberate decision to not include this header as modern browsers by default enable XSS filtering, which eliminates the need for this header. Moreover, we do implement “Content-Security-Policy” by adding the following <meta> tag in our HTML responses (with default-src 'self' 'unsafe-inline' http: https: ws: wss:), which is a recommended approach to disable the use of inline JavaScript.

  • Attach files