# Version: 8.1.0
-<IfModule mod_fcgid.c>
-<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
-SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
-RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
-</IfModule>
-</IfModule>
+ <IfModule mod_fcgid.c>
+ <IfModule mod_setenvif.c>
+ SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
+ RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
+ </IfModule>
+ </IfModule>
+
+ <IfModule mod_env.c>
+ # Add security and privacy related headers
+ Header set X-Content-Type-Options "nosniff"
+ Header set X-XSS-Protection "1; mode=block"
+ Header set X-Robots-Tag "none"
+ Header set X-Frame-Options "SAMEORIGIN"
+ SetEnv modHeadersAvailable true
+ </IfModule>
+
+ # Add cache control for CSS and JS files
+ <FilesMatch "\.(css|js)$">
+ Header set Cache-Control "max-age=7200, public"
+ </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
php_value upload_max_filesize 513M
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
- ModPagespeed Off
-</IfModule>
-<IfModule mod_headers.c>
- Header set X-Content-Type-Options "nosniff"
- Header set X-XSS-Protection "1; mode=block"
- Header set X-Robots-Tag "none"
- Header set X-Frame-Options "SAMEORIGIN"
- <FilesMatch "\.(css|js)$">
- Header set Cache-Control "max-age=7200, public"
- </FilesMatch>
+ ModPagespeed Off
</IfModule>
};
for (var header in securityHeaders) {
- if(xhr.getResponseHeader(header) !== securityHeaders[header]) {
+ if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
messages.push(
- t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
+ t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
);
}
}
);
async.done(function( data, s, x ){
- expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']);
+ expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']);
done();
});
});
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'Strict-Transport-Security': '2678400'
-
}
);
async.done(function( data, s, x ){
- expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']);
+ expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']);
done();
});
});
async.done(function( data, s, x ){
expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']);
- done();
+ done();
});
});
);
async.done(function( data, s, x ){
expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']);
- done();
+ done();
});
});
async.done(function( data, s, x ){
expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']);
- done();
+ done();
});
});
. 'media-src *; '
. 'connect-src *';
header('Content-Security-Policy:' . $policy);
+
+ // Send fallback headers for installations that don't have the possibility to send
+ // custom headers on the webserver side
+ if(getenv('modHeadersAvailable') !== 'true') {
+ header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+ header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+ header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+ }
}
}
<li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li>
<li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li>
<li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li>
+ <li><a target="_blank" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li>
</ul>
</div>