From 9d1ce53cb1e4f3f8d04de2e442e2928f3e7bab7c Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Thu, 26 Mar 2015 15:30:00 +0100 Subject: [PATCH] Add some generic default headers as well via PHP --- .htaccess | 37 +++++++++++++++----------- core/js/setupchecks.js | 4 +-- core/js/tests/specs/setupchecksSpec.js | 11 ++++---- lib/private/response.php | 9 +++++++ settings/templates/admin.php | 1 + 5 files changed, 38 insertions(+), 24 deletions(-) diff --git a/.htaccess b/.htaccess index 5e24a35743d..8c1cefb89c2 100644 --- a/.htaccess +++ b/.htaccess @@ -1,11 +1,25 @@ # Version: 8.1.0 - - -SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 -RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION - - + + + SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 + RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION + + + + + # Add security and privacy related headers + Header set X-Content-Type-Options "nosniff" + Header set X-XSS-Protection "1; mode=block" + Header set X-Robots-Tag "none" + Header set X-Frame-Options "SAMEORIGIN" + SetEnv modHeadersAvailable true + + + # Add cache control for CSS and JS files + + Header set Cache-Control "max-age=7200, public" + php_value upload_max_filesize 513M @@ -42,14 +56,5 @@ DirectoryIndex index.php index.html AddDefaultCharset utf-8 Options -Indexes - ModPagespeed Off - - - Header set X-Content-Type-Options "nosniff" - Header set X-XSS-Protection "1; mode=block" - Header set X-Robots-Tag "none" - Header set X-Frame-Options "SAMEORIGIN" - - Header set Cache-Control "max-age=7200, public" - + ModPagespeed Off diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index d5bd1c465b2..67925d75d34 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -115,9 +115,9 @@ }; for (var header in securityHeaders) { - if(xhr.getResponseHeader(header) !== securityHeaders[header]) { + if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) { messages.push( - t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) + t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) ); } } diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 487e28a6204..70f64432e9e 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() { ); async.done(function( data, s, x ){ - expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']); + expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']); done(); }); }); @@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', 'Strict-Transport-Security': '2678400' - } ); async.done(function( data, s, x ){ - expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']); + expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']); done(); }); }); @@ -202,7 +201,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']); - done(); + done(); }); }); @@ -218,7 +217,7 @@ describe('OC.SetupChecks tests', function() { ); async.done(function( data, s, x ){ expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']); - done(); + done(); }); }); @@ -237,7 +236,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']); - done(); + done(); }); }); diff --git a/lib/private/response.php b/lib/private/response.php index e0d48c7476b..ba458cb6afd 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -229,6 +229,15 @@ class OC_Response { . 'media-src *; ' . 'connect-src *'; header('Content-Security-Policy:' . $policy); + + // Send fallback headers for installations that don't have the possibility to send + // custom headers on the webserver side + if(getenv('modHeadersAvailable') !== 'true') { + header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains + header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag + } } } diff --git a/settings/templates/admin.php b/settings/templates/admin.php index 42ae42a4d02..f37b541e421 100644 --- a/settings/templates/admin.php +++ b/settings/templates/admin.php @@ -444,6 +444,7 @@ if ($_['cronErrors']) {
  • t('Performance tuning'));?> ↗
  • t('Improving the config.php'));?> ↗
  • t('Theming'));?> ↗
    • +
  • t('Hardening and security guidance'));?> ↗
    • -- 2.39.5