secure

secure copied to clipboard

For redirecting http methods other than GET and HEAD, response 307 should be used. This prevents bad behavior in most browsers that respond to a redirect via a 302 with...

hjames9

Capitalize "X-Xss-Protection:" -> "X-XSS-Protection:"

5

I'm not so sure about the support for the current capitalization now (`X-Xss-Protection`) in the various browsers; I _think_ it shouldnt be a problem if we trust them to follow...

jf

SSLProxyHeaders trusted without checking source

1

I see there's no parameter to define the IP or CIDR of your load balancers / proxies / SSL offloaders, and thus the code can't (and doesn't) check if the...

jdub