From ab144d737a6988b4dce65610197a935671cdb82b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Tue, 26 Jun 2018 11:40:09 +0200
Subject: [PATCH] Merge branch '5842-security-missing-security-headers' into
 '1.3-dev'

Resolve "Security: Missing Security Headers"

See merge request fusiondirectory/fd!303

(cherry picked from commit 7d9a58d9aee8d1c3fa4404ee2b1591f482ec3653)

4a182d01 :sparkles: feat(core) Add header to forbid framing
---
 html/class_passwordRecovery.inc | 9 +++++++++
 html/index.php                  | 1 +
 html/main.php                   | 1 +
 html/setup.php                  | 1 +
 4 files changed, 12 insertions(+)

diff --git a/html/class_passwordRecovery.inc b/html/class_passwordRecovery.inc
index 17823472f..53d0f6d41 100644
--- a/html/class_passwordRecovery.inc
+++ b/html/class_passwordRecovery.inc
@@ -104,6 +104,8 @@ class standAlonePage {
       load_plist();
 
       $ssl = $this->checkForSSL();
+
+      static::securityHeaders();
     }
   }
 
@@ -221,6 +223,13 @@ class standAlonePage {
     return $params;
   }
 
+  static function securityHeaders()
+  {
+    header('X-XSS-Protection: 1; mode=block');
+    header('X-Content-Type-Options: nosniff');
+    header('X-Frame-Options: deny');
+  }
+
   static function generateRandomHash()
   {
     /* Generate a very long random value */
diff --git a/html/index.php b/html/index.php
index 85df945a3..88f346157 100644
--- a/html/index.php
+++ b/html/index.php
@@ -29,6 +29,7 @@ require_once ("class_logging.inc");
 header('Content-type: text/html; charset=UTF-8');
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: deny');
 
 /* Display the login page and exit() */
 function displayLogin()
diff --git a/html/main.php b/html/main.php
index 27cb05164..4414c77a3 100644
--- a/html/main.php
+++ b/html/main.php
@@ -31,6 +31,7 @@ require_once ("variables.inc");
 header('Content-type: text/html; charset=UTF-8');
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: deny');
 
 /* Set the text domain as 'fusiondirectory' */
 $domain = 'fusiondirectory';
diff --git a/html/setup.php b/html/setup.php
index f9763e431..c8fcc3252 100644
--- a/html/setup.php
+++ b/html/setup.php
@@ -39,6 +39,7 @@ require_once("../setup/class_setupStepFinish.inc");
 header('Content-type: text/html; charset=UTF-8');
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: deny');
 
 /* Set cookie lifetime to one day (The parameter is in seconds ) */
 session_set_cookie_params(24 * 60 * 60);
-- 
GitLab