
Biggest web hosting sites were vulnerable to simple account takeover hacks - bariscan
https://techcrunch.com/2019/01/14/web-hosting-account-hacks/
======
ohiovr
Sites like [https://observatory.mozilla.org](https://observatory.mozilla.org)
can tell you if your site is vulnerable to these sorts of attacks. I end up
setting the correct headers and the warnings go away. I have never actually
tried to simulate an attack on my own domain though.

One thing that is bugging me though.. let’s say I am setting up a nextcloud
instance behind a reverse proxy. The way I have been doing it I have had to
manually set the right headers in my nginx conf. But this doesn’t seem right.
Nextcloud already has these headers... I think. Is there someway of telling
nginx to pass along the backend’s headers?

A lot of web applications should already have these issues figured out.

