From 7a3bb02f1189aafa5a6d95331e52ec438c86b03f Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 14 Sep 2017 05:40:23 +0000 Subject: [PATCH] Issue 3700: Security and Privacy related Headers --- doc/htconfig.md | 1 + include/session.php | 6 ++++++ index.php | 13 +++++++++++++ 3 files changed, 20 insertions(+) diff --git a/doc/htconfig.md b/doc/htconfig.md index aeb0c92022..dd7ab8047c 100644 --- a/doc/htconfig.md +++ b/doc/htconfig.md @@ -44,6 +44,7 @@ Example: To set the directory value please add this line to your .htconfig.php: * **dlogfile - location of the developer log file * **event_input_format** - Default value is "ymd". * **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10. +* **hsts** (Boolean) - Enables the sending of HTTP Strict Transport Security headers * **ignore_cache** (Boolean) - For development only. Disables the item cache. * **like_no_comment** (Boolean) - Don't update the "commented" value of an item when it is liked. * **local_block** (Boolean) - Used in conjunction with "block_public". diff --git a/include/session.php b/include/session.php index 5194e7ef0e..af871b28a1 100644 --- a/include/session.php +++ b/include/session.php @@ -2,6 +2,8 @@ // Session management functions. These provide database storage of PHP // session info. +use Friendica\Core\Config; + require_once('include/cache.php'); $session_exists = 0; @@ -114,6 +116,10 @@ ini_set('session.gc_probability', $gc_probability); ini_set('session.use_only_cookies', 1); ini_set('session.cookie_httponly', 1); +if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL) { + ini_set('session.cookie_secure', 1); +} + if (!get_config('system', 'disable_database_session')) { session_set_save_handler('ref_session_open', 'ref_session_close', 'ref_session_read', 'ref_session_write', diff --git a/index.php b/index.php index 5b4cea756b..d3d2e42ae6 100644 --- a/index.php +++ b/index.php @@ -489,6 +489,19 @@ $profile = $a->profile; header("X-Friendica-Version: " . FRIENDICA_VERSION); header("Content-type: text/html; charset=utf-8"); +if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) { + header("Strict-Transport-Security: max-age=31536000"); +} + +// Some security stuff +header('X-Content-Type-Options: nosniff'); +header('X-XSS-Protection: 1; mode=block'); +header('X-Permitted-Cross-Domain-Policies: none'); +header('X-Frame-Options: sameorigin'); + +// Things like embedded OSM maps don't work, when this is enabled +// header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'"); + /* * We use $_GET["mode"] for special page templates. So we will check if we have * to load another page template than the default one.