I got two security related questions from a security auditor.
#1 - X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks
#2 - A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
Based on the shinyproxy documnent, I can address these two questions by including in application.yml the config specs like
server:
secure-Cookies: true
frame-Options: sameorigin
Any one to confirm?
Thank you in advance.