Meteor + Angular 7 has security vulnerabilities

I’m writing an app that uses Angular 7 on the client-side instead of Blaze. I ran a scan using OWASP ZAP to scan for vulnerabilities and I got the following warnings:

  • Web Browser XSS Protection Not Enabled (Low risk)

  • X-Frame-Options Header Not Set (Medium risk)

  • X-Content-Type-Options Header Missing (Low risk)

Since Meteor handles all http responses, how can i get rid of these warnings? From my understanding the browser-policy package provides security on the client-side. Should i be using the package anyway even though angular implements its own security on the client-side?

Any help or suggestions is appreciated.

I believe these are server config options… I think you should be looking at your nginx or apache config on yoru server… I could be wrong.

1 Like

I think you might be right, and since I’m using meteor-up for deployment, I just noticed that there is a way to provide the config file where i can configure the headers for response.

Thank you for your help!