Merge branch '5842-security-missing-security-headers' into '1.3-dev'

Resolve "Security: Missing Security Headers" See merge request fusiondirectory/fd!281

Merge branch '5842-security-missing-security-headers' into '1.3-dev'
Resolve "Security: Missing Security Headers" See merge request fusiondirectory/fd!281
b7e0a451 · Côme Chilliet · 5edd2e32 · f215a8ce · b7e0a451 · b7e0a451
Commit b7e0a451 authored 6 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 13 additions and 5 deletions
+13 -5
--- a/html/index.php
+++ b/html/index.php
@@ -24,7 +24,11 @@ require_once ("../include/php_setup.inc");
 require_once ("functions.inc");
 require_once ("variables.inc");
 require_once ("class_logging.inc");
-header("Content-type: text/html; charset=UTF-8");
+
+/* Set headers */
+header('Content-type: text/html; charset=UTF-8');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');

 /* Display the login page and exit() */
 function displayLogin()

--- a/html/main.php
+++ b/html/main.php
@@ -27,8 +27,10 @@ require_once ("../include/php_setup.inc");
 require_once ("functions.inc");
 require_once ("variables.inc");

-/* Set header */
-header("Content-type: text/html; charset=UTF-8");
+/* Set headers */
+header('Content-type: text/html; charset=UTF-8');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');

 /* Set the text domain as 'fusiondirectory' */
 $domain = 'fusiondirectory';

--- a/html/setup.php
+++ b/html/setup.php
@@ -35,8 +35,10 @@ require_once("../setup/class_setupStepMigrate.inc");
 require_once("../setup/class_setupStepFinish.inc");


-/* Set header */
-header("Content-type: text/html; charset=UTF-8");
+/* Set headers */
+header('Content-type: text/html; charset=UTF-8');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');

 /* Set cookie lifetime to one day (The parameter is in seconds ) */
 session_set_cookie_params(24 * 60 * 60);