Cumulocity IoT Feedback Portal
Environment
dormakabastaging.us.cumulocity.com
Description
The Web server is not configured to return all security HTTP headers. These headers and their
recommended configuration are presented in the attachment
Usage of recommended security HTTP headers helps to reduce the risks associated with several security
flaws (e.g. information leaks, Cross-Site Scripting, « man-in-the-middle », etc.). It is important to mention
that these HTTP headers are supported by most Web browsers.
Recommendation
Depending on the type of technology used, it is possible to add these headers by modifying the application
code or changing the configuration of the Web server or development platform. Further verification will
be necessary to properly address this vulnerability.
References
Geek Flare - How to Implement Security HTTP Headers to Prevent Vulnerabilities
https://geekflare.com/http-header-implementation/
Dear Shaine, thanks a lot for the feedback. We took a deliberate decision to not include this header as modern browsers by default enable XSS filtering, which eliminates the need for this header. Moreover, we do implement “Content-Security-Policy” by adding the following <meta> tag in our HTML responses (with default-src 'self' 'unsafe-inline' http: https: ws: wss:), which is a recommended approach to disable the use of inline JavaScript.
