U4-11425 - Improve security health checks to negate some of the behavior for the backoffice route

Created by Sebastiaan Janssen 08 Jun 2018, 07:29:07 Updated by Sebastiaan Janssen 14 Jun 2018, 16:19:22

For example, the ClickJacking health check currently sets X-Frame-Options: SAMEORIGIN but that's only because some parts of the backoffice still need iframes. The frontend, however, should have X-Frame-Options: DENY set.

So we need to update the umbraco location node to set SAMEORIGIN while the rest of the site gets DENY.

Example:

<system.webServer>
</system.webServer>

Comments

Priority: Normal

Type: Bug

State: Open

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version:

Sprint:

Story Points:

Cycle: