When going to the
/ui and sub links e.g. /ui/Hello
/metadata link
/favicon.io
/jsv/metadata and sublinks e.g. /jsv/metadata?op=QueryMetaMenuPermissionViews
/csv/metadata and sublinks e.g. /csv/metadata?op=QueryMetaMenuPermissionViews
/xml/metadata and sublinks e.g. /xml/metadata?op=QueryMetaMenuPermissionViews
/json/metadata e.g. /json/metadata?op=QueryMetaMenuPermissionViews
/jsonl/metadata e.g. /jsonl/metadata?op=QueryMetaMenuPermissionViews
The x-content-type-options headers are missing. When setting these like in this link : Link to Article
It does not set the x-content-type-options header. This is the same for the Content-Security-Policy header and Referrer-Policy Header and Permission-Policy header.
Also, HSTS header is missing or misconfigured on
/csv/metadata?op=Whatever
/json/metadata?op=Whatever
/json/metadata?op=Whatever
/jsonl/metadata?op=Whatever
/xml/metadata?op=Whatever
Will be the same for the X-XSS-Protection header
Same for X-Frame-Options header.
We also have an issue w.r.t cookies set when you log into /ui with it having to have the SameSite Attribute set. We need to set the SameSite Attribute cookie.
Thanks