From 4812baa1039be142ce3752c7053365143b4df8f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Tue, 26 Jun 2018 11:40:09 +0200
Subject: [PATCH] Merge branch '5842-security-missing-security-headers' into
'1.3-dev'
Resolve "Security: Missing Security Headers"
See merge request fusiondirectory/fd!303
(cherry picked from commit 7d9a58d9aee8d1c3fa4404ee2b1591f482ec3653)
4a182d01 :sparkles: feat(core) Add header to forbid framing
---
html/class_passwordRecovery.inc | 9 +++++++++
html/index.php | 1 +
html/main.php | 1 +
html/setup.php | 1 +
4 files changed, 12 insertions(+)
diff --git a/html/class_passwordRecovery.inc b/html/class_passwordRecovery.inc
index 98383176e..23e716fcd 100644
--- a/html/class_passwordRecovery.inc
+++ b/html/class_passwordRecovery.inc
@@ -104,6 +104,8 @@ class standAlonePage {
load_plist();
$ssl = $this->checkForSSL();
+
+ static::securityHeaders();
}
}
@@ -221,6 +223,13 @@ class standAlonePage {
return preg_replace('/^&/', '?', $params);
}
+ static function securityHeaders()
+ {
+ header('X-XSS-Protection: 1; mode=block');
+ header('X-Content-Type-Options: nosniff');
+ header('X-Frame-Options: deny');
+ }
+
static function generateRandomHash()
{
/* Generate a very long random value */
diff --git a/html/index.php b/html/index.php
index 700101cc3..4f1e1cc42 100644
--- a/html/index.php
+++ b/html/index.php
@@ -29,6 +29,7 @@ require_once ("class_logging.inc");
header('Content-type: text/html; charset=UTF-8');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: deny');
/*****************************************************************************
* M A I N *
diff --git a/html/main.php b/html/main.php
index 55518a066..25a824800 100644
--- a/html/main.php
+++ b/html/main.php
@@ -31,6 +31,7 @@ require_once ("variables.inc");
header('Content-type: text/html; charset=UTF-8');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: deny');
/* Set the text domain as 'fusiondirectory' */
$domain = 'fusiondirectory';
diff --git a/html/setup.php b/html/setup.php
index 292e5f555..2319bcb7e 100644
--- a/html/setup.php
+++ b/html/setup.php
@@ -39,6 +39,7 @@ require_once("../setup/class_setupStepFinish.inc");
header('Content-type: text/html; charset=UTF-8');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: deny');
/* Set cookie lifetime to one day (The parameter is in seconds ) */
session_set_cookie_params(24 * 60 * 60);
--
GitLab