Thomas P Posted July 10, 2019 Posted July 10, 2019 Hi IPS admin users and fellows, I read in several topics that secure headers can affect the editor's behavior. So we have the following to meet "security standards": X-Frame-Options SAMEORIGIN X-XSS-Protection 1; mode=block X-Content-Type-Options nosniff Which ones do I need to change in order for IPB to function as designed? Thank you for clarification, Thomas
bfarber Posted July 10, 2019 Posted July 10, 2019 Invision Community already sets X-Frame-Options to "sameorigin" if your AdminCP setting to prevent click jacking isn't disabled. You should disable the X-XSS-Protection header. We explicitly disable this, because when you are posting HTML content to a forum it is entirely expected that the submitted content is going to be immediately "reflected" or displayed back to the end user upon submit. With certain things, such as certain embeds that may use javascript, the X-XSS-Protection may result in the post/viewing of the post not working correctly.
Thomas P Posted July 11, 2019 Author Posted July 11, 2019 Thanks for your clarification and explanation 👍 We changed the setting accordingly.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.