Hi,
According to the recent third-party penetration test report, we received findings regarding some missing security headers.
Is this something we need to fix at the load balancer level, and if so, is there a guide available that we can review?
We had these findings:
Content Security Policy (CSP) Header Not Set
Multiple X-Frame-Options Header Entries
Missing Anti-clickjacking Header
X-Content-Type-Options Header Missing
Thanks,
Igor
Thanks Lukas,
Do you know also which headers to set and with what parameters?
Igor
No, you need to research this based on the requirements of your application, otherwise your application will likely break.
While you can inject HTTP headers with a proxy, these are most likely* headers which your web service should provide, not your proxy.
You might find the HTTP Security Response Headers Cheat Sheet useful.
As @lukastribus says, proceed with care. These are headers you need to set correctly to avoid confusing breakage.
*[Since we don’t know what you have behind your proxy or how relevant the pen test finding is for your environment, we can’t eliminate the possibility that the proxy is the best place to inject headers.]