Important: #100032 - Add HTTP security headers for backend by default¶
See forge#100032
Description¶
The following HTTP security headers are now added by default for the TYPO3 backend:
Strict-Transport-Security: max-age=31536000
(only if$GLOBALS[TYPO3_CONF_VARS][BE][lockSSL]
is active)X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
The default HTTP security headers are globally configured in
$GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers']
and include
a unique array key, so it is possible to individually unset/remove unwanted
headers.
Important
TYPO3 websites, which already use custom HTTP headers for the TYPO3 backend, must ensure that individual HTTP security headers are not sent multiple times.