From e607b5b66e9bc1e3e3d5871cd912ee52a0a2b3f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Tue, 5 Jun 2018 12:04:02 +0200
Subject: [PATCH] Merge branch '5842-security-missing-security-headers' into
 '1.3-dev'

Resolve "Security: Missing Security Headers"

See merge request fusiondirectory/fd!281

(cherry picked from commit b7e0a45112a6f2eb3f0a07af4ce05822a7ae4ad2)

f215a8ce :sparkles: feat(core) Add security HTTP headers
---
 html/index.php | 6 +++++-
 html/main.php  | 6 ++++--
 html/setup.php | 6 ++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/html/index.php b/html/index.php
index 0b37df700..85df945a3 100644
--- a/html/index.php
+++ b/html/index.php
@@ -24,7 +24,11 @@ require_once ("../include/php_setup.inc");
 require_once ("functions.inc");
 require_once ("variables.inc");
 require_once ("class_logging.inc");
-header("Content-type: text/html; charset=UTF-8");
+
+/* Set headers */
+header('Content-type: text/html; charset=UTF-8');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');
 
 /* Display the login page and exit() */
 function displayLogin()
diff --git a/html/main.php b/html/main.php
index 1d03fbac5..27cb05164 100644
--- a/html/main.php
+++ b/html/main.php
@@ -27,8 +27,10 @@ require_once ("../include/php_setup.inc");
 require_once ("functions.inc");
 require_once ("variables.inc");
 
-/* Set header */
-header("Content-type: text/html; charset=UTF-8");
+/* Set headers */
+header('Content-type: text/html; charset=UTF-8');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');
 
 /* Set the text domain as 'fusiondirectory' */
 $domain = 'fusiondirectory';
diff --git a/html/setup.php b/html/setup.php
index 70378bb11..f9763e431 100644
--- a/html/setup.php
+++ b/html/setup.php
@@ -35,8 +35,10 @@ require_once("../setup/class_setupStepMigrate.inc");
 require_once("../setup/class_setupStepFinish.inc");
 
 
-/* Set header */
-header("Content-type: text/html; charset=UTF-8");
+/* Set headers */
+header('Content-type: text/html; charset=UTF-8');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Content-Type-Options: nosniff');
 
 /* Set cookie lifetime to one day (The parameter is in seconds ) */
 session_set_cookie_params(24 * 60 * 60);
-- 
GitLab