Merge pull request #15225 from owncloud/make-setups-for-users-that-tend-to-use-owncloud-on-not-proper-machines-a-little-bit-more-secure

Add some generic default headers as well via PHP

1 files changed, 9 insertions, 0 deletions

diff --git a/lib/private/response.php b/lib/private/response.php
index e0d48c7476b..ba458cb6afd 100644
--- a/lib/private/response.php
+++ b/lib/private/response.php
@@ -229,6 +229,15 @@ class OC_Response {
 			. 'media-src *; ' 
 			. 'connect-src *';
 		header('Content-Security-Policy:' . $policy);
+
+		// Send fallback headers for installations that don't have the possibility to send
+		// custom headers on the webserver side
+		if(getenv('modHeadersAvailable') !== 'true') {
+			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+		}
 	}
 
 }