close

Filter

loading table of contents...

Release Notes / Version 12.2404

Table Of Contents

Configured Content Security Policy for Live CAE

CAE HTTP security now supports configuration of the Content-Security-Policy response header via cae.http-headers.csp.directives. It has been set to a same-origin-only policy as recommended by the OWASP CSP cheat sheet. The Spring dev profile configures report-only mode for Live CAE and disables CSP for the Preview CAE.

Additionally, for HTTP requests to the Live CAE, the X-XSS-Protection response header has been disabled. Even though setting the X-XSS-Protection response header can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. Therefore, it is recommended to use the Content-Security-Policy without allowing unsafe-inline scripts instead. For further information, see X-XSS-Protection in Mozilla Developer Resources and OWASP Content Security Policy Cheat Sheet.

(CMS-23644)

Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.