crucial security headers
Hi Team,
Apex version 24.2
ORDS version 23.4
DB version 19.27
Please provide an update as this is a security concern.
We have done a security vulnerability scan against our Apex application behind OCI Load Balancer with WAF integration. The scan reported the following:
"It was observed that crucial security headers are missing from the application. Below are the headers missing:
Strict Transport Security
Content Security Policy
X-Frame-Options"
Recommendation:
"It is recommended to implement Strict-Transport-Security (HSTS): max-age=31536000; include Subdomains; preload
X-FRAME-OPTIONS: SAMEORIGIN / DENY
Referrer-Policy: no-referrer | same-origin | origin | strict-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content security policy like: default-src 'self';
script-src 'self' https://trusted-scripts.example.com;