Implement additional Security Header for login.microsoftonline.com
Some of the new HTTP headers can be very useful protection against certain type of attacks. Although their use is not necessarily widely spread in some cases, we want to try to be more proactive especially as we are moving websites from on-prem to Azure + AAD. For both On-Prem & Azure cloud, there was a change in our internal security policy and we are now working with our development teams across all products to implement security headers to help tighten our websites’ security.
From what I can tell and as of now, below are the ones currently being implemented.
We would like to request for below headers to also be included:
-X-Frame-Options can help prevent a browser from framing our site and it allows us to defend against attacks like clickjacking.
-X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Typically whenever a browser requests a page from a web server, the server provides the browser with the content along with some useful information, and so we have found that keeping them up to date will greatly reduce the amount of risk mitigation actions needed in the future.
Any update on this request to include -X-Frame-Options ?
madhusoodanan pillai commented
i want to change my phone number for access