@gopinath6 reported an issue where certain error pages on GitHub.com were not setting the correct security headers. This could have resulted in a content-framing attack against the login form on our 404 page. We addressed the issue by ensuring that all error pages respond with the appropriate security headers.
@gopinath6 discovered that GitHub.com could leak sensitive information to trusted third-parties (ex. our CDN) through Referer headers when performing a password reset. We remediated this issue within modern browsers by adding support for the
<meta name="referrer" content="origin"> tag on the password reset validation page.
@gopinath6 reported an issue where several internal services had endpoints exposed without requiring authentication. These endpoints could disclose low-risk information.