Security: Missing Security Headers (#5842) · Issues · fusiondirectory / fusiondirectory

Security: Missing Security Headers

Description

It's best practice in web application security to set some headers that increase the security level of the application. Basically, the following headers should be set by default to increase the security of all deployments:

X-Frame-Options: deny: Prevents clickjacking attacks and other attack techniques against the application. More....
X-XSS-Protection: 1; mode=block: Increases the difficulty for exploitation of Cross Site Scripting attacks (XSS) in many browsers. More...
X-Content-Type-Options: nosniff: Indicate that the browser doesn't tries to deduce a content type different from the Content-Type header. More...

Furthermore recommended, but difficult to implement effectively:

Content-Security-Policy: Whitelist possible resources and restricts JavaScript usage. Correctly implemented, this increases the difficulty for exploitation of Cross-site scripting attacks. More...

Distribution Name and Version

Reproduced in admin.fusiondirectory.org.

FusionDirectory Version

1.2

PHP version used

Reproduced in admin.fusiondirectory.org.

Origin of php packages

Reproduced in admin.fusiondirectory.org.

Steps to Reproduce

Open browsers developer tools (Ctrl-Shift-I in Firefox and Chrome)
Choose the network tab of developer tools.
Open the main page of a default FusionDirectory instance
Check the response headers.

Expected behavior:

The security headers mentioned above are set.

Actual behavior:

No security headers are set.

Reproduces how often: 100%

Additional Information

See the OWASP Security Headers project page and Mozilla web security guide for more information on this topic.

### Description

* `X-Frame-Options: deny`: Prevents clickjacking attacks and other attack techniques against the application. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
* `X-XSS-Protection: 1; mode=block`: Increases the difficulty for exploitation of [Cross Site Scripting attacks (XSS)](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) in many browsers. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
* `X-Content-Type-Options: nosniff`: Indicate that the browser doesn't tries to deduce a content type different from the *Content-Type* header. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)

Furthermore recommended, but difficult to implement effectively:
* `Content-Security-Policy`: Whitelist possible resources and restricts JavaScript usage. Correctly implemented, this increases the difficulty for exploitation of Cross-site scripting attacks. [More...](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

## Distribution Name and Version

Reproduced in *admin.fusiondirectory.org*.

### FusionDirectory Version

1.2

### PHP version used

Reproduced in *admin.fusiondirectory.org*.

### Origin of php packages

Reproduced in *admin.fusiondirectory.org*.

### Steps to Reproduce

1. Open browsers developer tools (Ctrl-Shift-I in Firefox and Chrome)
2. Choose the network tab of developer tools.
3. Open the main page of a default FusionDirectory instance
4. Check the response headers.

**Expected behavior:**

The security headers mentioned above are set.

**Actual behavior:**

No security headers are set.

**Reproduces how often:**
100%

### Additional Information
See the [OWASP Security Headers](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers) project page and [Mozilla web security guide](https://infosec.mozilla.org/guidelines/web_security#x-content-type-options) for more information on this topic.

To upload designs, you'll need to enable LFS. More information