Noble Paul created SOLR-14634:
---------------------------------
Summary: Limit the HTTP security header to /solr end point
Key: SOLR-14634
URL: https://issues.apache.org/jira/browse/SOLR-14634
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 8.6
Reporter: Noble Paul
Ideally the CSP headers and other security headers are only required for web
components such as html/js etc. There should be no need to send it out for a
{{json}} or{{ javabin}} response. It is unnecessary data that is being sent.
The problem is our web UI content paths are not easy to differentiate from
other paths. But the v2 APIs do not need to pay that price and that can be
easily achieved by adding a pattern to the rules
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
