@@ -1,11 +1,25 @@ | |||
# Version: 8.1.0 | |||
<IfModule mod_fcgid.c> | |||
<IfModule mod_setenvif.c> | |||
<IfModule mod_headers.c> | |||
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 | |||
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION | |||
</IfModule> | |||
</IfModule> | |||
<IfModule mod_fcgid.c> | |||
<IfModule mod_setenvif.c> | |||
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 | |||
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION | |||
</IfModule> | |||
</IfModule> | |||
<IfModule mod_env.c> | |||
# Add security and privacy related headers | |||
Header set X-Content-Type-Options "nosniff" | |||
Header set X-XSS-Protection "1; mode=block" | |||
Header set X-Robots-Tag "none" | |||
Header set X-Frame-Options "SAMEORIGIN" | |||
SetEnv modHeadersAvailable true | |||
</IfModule> | |||
# Add cache control for CSS and JS files | |||
<FilesMatch "\.(css|js)$"> | |||
Header set Cache-Control "max-age=7200, public" | |||
</FilesMatch> | |||
</IfModule> | |||
<IfModule mod_php5.c> | |||
php_value upload_max_filesize 513M | |||
@@ -42,14 +56,5 @@ DirectoryIndex index.php index.html | |||
AddDefaultCharset utf-8 | |||
Options -Indexes | |||
<IfModule pagespeed_module> | |||
ModPagespeed Off | |||
</IfModule> | |||
<IfModule mod_headers.c> | |||
Header set X-Content-Type-Options "nosniff" | |||
Header set X-XSS-Protection "1; mode=block" | |||
Header set X-Robots-Tag "none" | |||
Header set X-Frame-Options "SAMEORIGIN" | |||
<FilesMatch "\.(css|js)$"> | |||
Header set Cache-Control "max-age=7200, public" | |||
</FilesMatch> | |||
ModPagespeed Off | |||
</IfModule> |
@@ -115,9 +115,9 @@ | |||
}; | |||
for (var header in securityHeaders) { | |||
if(xhr.getResponseHeader(header) !== securityHeaders[header]) { | |||
if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) { | |||
messages.push( | |||
t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) | |||
t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) | |||
); | |||
} | |||
} |
@@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() { | |||
); | |||
async.done(function( data, s, x ){ | |||
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']); | |||
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']); | |||
done(); | |||
}); | |||
}); | |||
@@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() { | |||
'X-Robots-Tag': 'none', | |||
'X-Frame-Options': 'SAMEORIGIN', | |||
'Strict-Transport-Security': '2678400' | |||
} | |||
); | |||
async.done(function( data, s, x ){ | |||
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']); | |||
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']); | |||
done(); | |||
}); | |||
}); | |||
@@ -202,7 +201,7 @@ describe('OC.SetupChecks tests', function() { | |||
async.done(function( data, s, x ){ | |||
expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']); | |||
done(); | |||
done(); | |||
}); | |||
}); | |||
@@ -218,7 +217,7 @@ describe('OC.SetupChecks tests', function() { | |||
); | |||
async.done(function( data, s, x ){ | |||
expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']); | |||
done(); | |||
done(); | |||
}); | |||
}); | |||
@@ -237,7 +236,7 @@ describe('OC.SetupChecks tests', function() { | |||
async.done(function( data, s, x ){ | |||
expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']); | |||
done(); | |||
done(); | |||
}); | |||
}); | |||
@@ -229,6 +229,15 @@ class OC_Response { | |||
. 'media-src *; ' | |||
. 'connect-src *'; | |||
header('Content-Security-Policy:' . $policy); | |||
// Send fallback headers for installations that don't have the possibility to send | |||
// custom headers on the webserver side | |||
if(getenv('modHeadersAvailable') !== 'true') { | |||
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters | |||
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE | |||
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains | |||
header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag | |||
} | |||
} | |||
} |
@@ -444,6 +444,7 @@ if ($_['cronErrors']) { | |||
<li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li> | |||
<li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li> | |||
<li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li> | |||
<li><a target="_blank" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li> | |||
</ul> | |||
</div> | |||