Editor and secure headers

Thomas P · July 10, 2019

Hi IPS admin users and fellows,

I read in several topics that secure headers can affect the editor's behavior. So we have the following to meet "security standards":

X-Frame-Options
SAMEORIGIN

X-XSS-Protection
1; mode=block

X-Content-Type-Options
nosniff

Which ones do I need to change in order for IPB to function as designed?

Thank you for clarification,
Thomas

bfarber · July 10, 2019

Invision Community already sets X-Frame-Options to "sameorigin" if your AdminCP setting to prevent click jacking isn't disabled.

You should disable the X-XSS-Protection header. We explicitly disable this, because when you are posting HTML content to a forum it is entirely expected that the submitted content is going to be immediately "reflected" or displayed back to the end user upon submit. With certain things, such as certain embeds that may use javascript, the X-XSS-Protection may result in the post/viewing of the post not working correctly.

Thomas P · July 11, 2019

Thanks for your clarification and explanation 👍

We changed the setting accordingly.

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Editor and secure headers

Recommended Posts

Thomas P

bfarber

Thomas P

Archived

Recently Browsing 0 members

More