Add some generic default headers as well via PHP
This commit is contained in:
parent
74a9fc29b4
commit
9d1ce53cb1
25
.htaccess
25
.htaccess
|
@ -1,11 +1,25 @@
|
||||||
# Version: 8.1.0
|
# Version: 8.1.0
|
||||||
|
<IfModule mod_headers.c>
|
||||||
<IfModule mod_fcgid.c>
|
<IfModule mod_fcgid.c>
|
||||||
<IfModule mod_setenvif.c>
|
<IfModule mod_setenvif.c>
|
||||||
<IfModule mod_headers.c>
|
|
||||||
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
|
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
|
||||||
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
|
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
|
||||||
</IfModule>
|
</IfModule>
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_env.c>
|
||||||
|
# Add security and privacy related headers
|
||||||
|
Header set X-Content-Type-Options "nosniff"
|
||||||
|
Header set X-XSS-Protection "1; mode=block"
|
||||||
|
Header set X-Robots-Tag "none"
|
||||||
|
Header set X-Frame-Options "SAMEORIGIN"
|
||||||
|
SetEnv modHeadersAvailable true
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
# Add cache control for CSS and JS files
|
||||||
|
<FilesMatch "\.(css|js)$">
|
||||||
|
Header set Cache-Control "max-age=7200, public"
|
||||||
|
</FilesMatch>
|
||||||
</IfModule>
|
</IfModule>
|
||||||
<IfModule mod_php5.c>
|
<IfModule mod_php5.c>
|
||||||
php_value upload_max_filesize 513M
|
php_value upload_max_filesize 513M
|
||||||
|
@ -44,12 +58,3 @@ Options -Indexes
|
||||||
<IfModule pagespeed_module>
|
<IfModule pagespeed_module>
|
||||||
ModPagespeed Off
|
ModPagespeed Off
|
||||||
</IfModule>
|
</IfModule>
|
||||||
<IfModule mod_headers.c>
|
|
||||||
Header set X-Content-Type-Options "nosniff"
|
|
||||||
Header set X-XSS-Protection "1; mode=block"
|
|
||||||
Header set X-Robots-Tag "none"
|
|
||||||
Header set X-Frame-Options "SAMEORIGIN"
|
|
||||||
<FilesMatch "\.(css|js)$">
|
|
||||||
Header set Cache-Control "max-age=7200, public"
|
|
||||||
</FilesMatch>
|
|
||||||
</IfModule>
|
|
||||||
|
|
|
@ -115,9 +115,9 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
for (var header in securityHeaders) {
|
for (var header in securityHeaders) {
|
||||||
if(xhr.getResponseHeader(header) !== securityHeaders[header]) {
|
if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
|
||||||
messages.push(
|
messages.push(
|
||||||
t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
|
t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() {
|
||||||
);
|
);
|
||||||
|
|
||||||
async.done(function( data, s, x ){
|
async.done(function( data, s, x ){
|
||||||
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']);
|
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() {
|
||||||
'X-Robots-Tag': 'none',
|
'X-Robots-Tag': 'none',
|
||||||
'X-Frame-Options': 'SAMEORIGIN',
|
'X-Frame-Options': 'SAMEORIGIN',
|
||||||
'Strict-Transport-Security': '2678400'
|
'Strict-Transport-Security': '2678400'
|
||||||
|
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
async.done(function( data, s, x ){
|
async.done(function( data, s, x ){
|
||||||
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']);
|
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -229,6 +229,15 @@ class OC_Response {
|
||||||
. 'media-src *; '
|
. 'media-src *; '
|
||||||
. 'connect-src *';
|
. 'connect-src *';
|
||||||
header('Content-Security-Policy:' . $policy);
|
header('Content-Security-Policy:' . $policy);
|
||||||
|
|
||||||
|
// Send fallback headers for installations that don't have the possibility to send
|
||||||
|
// custom headers on the webserver side
|
||||||
|
if(getenv('modHeadersAvailable') !== 'true') {
|
||||||
|
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
||||||
|
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
||||||
|
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
||||||
|
header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -444,6 +444,7 @@ if ($_['cronErrors']) {
|
||||||
<li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li>
|
<li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li>
|
||||||
<li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li>
|
<li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li>
|
||||||
<li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li>
|
<li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li>
|
||||||
|
<li><a target="_blank" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue