diff options
| -rw-r--r-- | .htaccess | 37 | ||||
| -rw-r--r-- | core/js/setupchecks.js | 4 | ||||
| -rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 11 | ||||
| -rw-r--r-- | lib/private/response.php | 9 | ||||
| -rw-r--r-- | settings/templates/admin.php | 1 |
5 files changed, 38 insertions, 24 deletions
diff --git a/.htaccess b/.htaccess index 5e24a35743d..8c1cefb89c2 100644 --- a/.htaccess +++ b/.htaccess @@ -1,11 +1,25 @@ # Version: 8.1.0 -<IfModule mod_fcgid.c> -<IfModule mod_setenvif.c> <IfModule mod_headers.c> -SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 -RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION -</IfModule> -</IfModule> + <IfModule mod_fcgid.c> + <IfModule mod_setenvif.c> + SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 + RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION + </IfModule> + </IfModule> + + <IfModule mod_env.c> + # Add security and privacy related headers + Header set X-Content-Type-Options "nosniff" + Header set X-XSS-Protection "1; mode=block" + Header set X-Robots-Tag "none" + Header set X-Frame-Options "SAMEORIGIN" + SetEnv modHeadersAvailable true + </IfModule> + + # Add cache control for CSS and JS files + <FilesMatch "\.(css|js)$"> + Header set Cache-Control "max-age=7200, public" + </FilesMatch> </IfModule> <IfModule mod_php5.c> php_value upload_max_filesize 513M @@ -42,14 +56,5 @@ DirectoryIndex index.php index.html AddDefaultCharset utf-8 Options -Indexes <IfModule pagespeed_module> - ModPagespeed Off -</IfModule> -<IfModule mod_headers.c> - Header set X-Content-Type-Options "nosniff" - Header set X-XSS-Protection "1; mode=block" - Header set X-Robots-Tag "none" - Header set X-Frame-Options "SAMEORIGIN" - <FilesMatch "\.(css|js)$"> - Header set Cache-Control "max-age=7200, public" - </FilesMatch> + ModPagespeed Off </IfModule> diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index d5bd1c465b2..67925d75d34 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -115,9 +115,9 @@ }; for (var header in securityHeaders) { - if(xhr.getResponseHeader(header) !== securityHeaders[header]) { + if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) { messages.push( - t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) + t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) ); } } diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 487e28a6204..70f64432e9e 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() { ); async.done(function( data, s, x ){ - expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']); + expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']); done(); }); }); @@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', 'Strict-Transport-Security': '2678400' - } ); async.done(function( data, s, x ){ - expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']); + expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']); done(); }); }); @@ -202,7 +201,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']); - done(); + done(); }); }); @@ -218,7 +217,7 @@ describe('OC.SetupChecks tests', function() { ); async.done(function( data, s, x ){ expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']); - done(); + done(); }); }); @@ -237,7 +236,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']); - done(); + done(); }); }); diff --git a/lib/private/response.php b/lib/private/response.php index e0d48c7476b..ba458cb6afd 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -229,6 +229,15 @@ class OC_Response { . 'media-src *; ' . 'connect-src *'; header('Content-Security-Policy:' . $policy); + + // Send fallback headers for installations that don't have the possibility to send + // custom headers on the webserver side + if(getenv('modHeadersAvailable') !== 'true') { + header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains + header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag + } } } diff --git a/settings/templates/admin.php b/settings/templates/admin.php index 42ae42a4d02..f37b541e421 100644 --- a/settings/templates/admin.php +++ b/settings/templates/admin.php @@ -444,6 +444,7 @@ if ($_['cronErrors']) { <li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li> <li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li> <li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li> + <li><a target="_blank" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li> </ul> </div> |