window.opener exploitable & security headers missing? #29
Description
If I were you, I'd add rel="noopener noreferrer" to links to external urls so people can't exploit window.opener. Not very serious, but worth doing. Read more
I know, I know. Everybody hates when others tell them they are missing security headers. Is there any reason why the X-XSS-Protection header is not set? There are a few others I'd add too, but these depend on how the site is set up:
Strict-Transport-Security: Require use of HTTPSContent-Security-Policy: Mitigates some XSS attacksPublic-Key-Pins: Prevents MiTM attacks using rouge X.509 certs if the CA is compromisedX-Frame-Options: Stops clickjacking attacksX-Content-Type-Options: Stops browser from MIME-sniffing