Meteor + Angular 7 has security vulnerabilities

araad · January 7, 2019, 9:08pm

Hi,
I’m writing an app that uses Angular 7 on the client-side instead of Blaze. I ran a scan using OWASP ZAP to scan for vulnerabilities and I got the following warnings:

Web Browser XSS Protection Not Enabled (Low risk)
X-Frame-Options Header Not Set (Medium risk)
X-Content-Type-Options Header Missing (Low risk)

Since Meteor handles all http responses, how can i get rid of these warnings? From my understanding the browser-policy package provides security on the client-side. Should i be using the package anyway even though angular implements its own security on the client-side?

Any help or suggestions is appreciated.
Thanks

mikeacre · January 8, 2019, 8:41pm

I believe these are server config options… I think you should be looking at your nginx or apache config on yoru server… I could be wrong.

araad · January 8, 2019, 10:52pm

I think you might be right, and since I’m using meteor-up for deployment, I just noticed that there is a way to provide the config file where i can configure the headers for response.

Thank you for your help!