Werk #13194: Add several security HTTP headers
Component | Setup |
Title | Add several security HTTP headers |
Date | Oct 11, 2021 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk Version | 2.0.0p23 2.1.0b1 |
Level | Trivial Change |
Class | New Feature |
Compatibility | Compatible - no manual interaction needed |
This werk adds the following security headers:
LI:X-Frame-Options: sameorigin Only websites hosted on the same domain are allowed to include CMK as an frame. The Content-Security-Policy already constrains this. LI:X-XSS-Protection: 1; mode=block Enables the browser buitin XSS protection. LI:X-Permitted-Cross-Domain-Policies: none We do not ship cross-domain policies so we disable them with this header. LI:Referrer-Policy: origin-when-cross-origin Only send the origin as Referer to other sites.
You can overwrite these settings in the Apache config if you need to.