[jira] [Resolved] (TOBAGO-2498) Set outdated HTTP headers to deprecated

Wed, 01 Apr 2026 04:42:09 -0700 


     [ 
https://issues.apache.org/jira/browse/TOBAGO-2498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Henning Nöth resolved TOBAGO-2498.
----------------------------------
    Fix Version/s: 6.10.1
       Resolution: Fixed

> Set outdated HTTP headers to deprecated
> ---------------------------------------
>
>                 Key: TOBAGO-2498
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-2498
>             Project: MyFaces Tobago
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 6.10.0
>            Reporter: Henning Nöth
>            Assignee: Henning Nöth
>            Priority: Minor
>             Fix For: 6.10.1
>
>
> Set "Pragma - no-cache" HTTP header to "deprecated". The header is replaced 
> by "HTTP/1.1 Cache-Control", which has been supported by all major browsers 
> for over 10 to 20 years.
> [Cache-Control header - HTTP - 
> MDN|https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Cache-Control]
> The same is for "Expires/max-age" data header, because it can be removed if 
> using the Cache-Control header with "max-age".
> [Expires header - HTTP - 
> MDN|https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Expires]
> Set outdated CSP header to "deprecated".
> * X-Content-Security-Policy //Firefox, Internet Explorer
> * X-WebKit-CSP //Safari
> All major browser support the standard header since 2016-08-02.
> [Content-Security-Policy (CSP) header - HTTP - 
> MDN|https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Content-Security-Policy]
> Set outdated CSP read-only header to "deprecated".
> * X-Content-Security-Policy-Report-Only //Firefox, Internet Explorer
> * X-WebKit-CSP-Report-Only //Safari
> All major browser support the standard header since 2016-08-02.
> [Content-Security-Policy-Report-Only header - HTTP - 
> MDN|https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy-Report-Only]
> Set "X-Frame-Options HTTP header" to "deprecated", because this is covered by 
> the CSP "frame-ancestors" directive.
> For Webkit browsers, use the standard CSP and CSP-read-only header.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to