set some security flags recommended by the Mozilla Observatory

diff --git a/api.php b/api.php
index b3096d16518c4493402c7cd52899f36932c48dff..f51f20198eda8c59c146e24d858c8e50e777a192 100644 (file)
--- a/api.php
+++ b/api.php
@@ -11,6 +11,7 @@
 require_once(__DIR__.'/authsystem.inc.php');
 
 $errors = $utils->checkForSecureConnection();
+$utils->sendSecurityHeaders();
 
 if (!count($errors)) {
   // Handle a request to a resource and authenticate the access token

diff --git a/authorize.php b/authorize.php
index ac0979a94c3e96221de4a869d717b85505b78674..0740e23d152880eae48d826cad511c9b780cd9a9 100644 (file)
--- a/authorize.php
+++ b/authorize.php
@@ -22,6 +22,7 @@ $title->appendText('Authorization Request | KaiRo.at');
 $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server');
 
 $errors = $utils->checkForSecureConnection();
+$utils->sendSecurityHeaders();
 
 $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.'));
 $para->setAttribute('id', 'jswarning');

diff --git a/authutils.php-class b/authutils.php-class
index dc06a7f7547ab17cabfce789fe2c1624de47b477..9cd000c492d6c1e0ac8872fea75a124e410cb8a3 100755 (executable)
--- a/authutils.php-class
+++ b/authutils.php-class
@@ -107,6 +107,26 @@ class AuthUtils {
     return $errors;
   }
 
+  function sendSecurityHeaders() {
+    // Send various headers that we want to have for security resons, mostly as recommended by https://observatory.mozilla.org/
+
+    // CSP - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
+    // Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) from ourselves; also disable framing.
+    header('Content-Security-Policy: default-src \'none\';img-src \'self\'; script-src \'self\'; style-src \'self\'; frame-ancestors \'none\'');
+
+    // X-Content-Type-Options - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options
+    // Prevent browsers from incorrectly detecting non-scripts as scripts
+    header('X-Content-Type-Options: nosniff');
+
+    // X-Frame-Options (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options
+    // Block site from being framed
+    header('X-Frame-Options: DENY');
+
+    // X-XSS-Protection (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection
+    // Block pages from loading when they detect reflected XSS attacks
+    header('X-XSS-Protection: 1; mode=block');
+  }
+
   function initSession() {
     $session = null;
     if (strlen(@$_COOKIE['sessionkey'])) {

diff --git a/index.php b/index.php
index 76e11d28fa6f47e4734fc1ebc2a5c74cab5a3b53..cfe66ec2669589a1b138e1b8a2cdcb33e29c1fb5 100644 (file)
--- a/index.php
+++ b/index.php
@@ -18,6 +18,7 @@ $title->appendText('KaiRo.at Authentication Server');
 $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server');
 
 $errors = $utils->checkForSecureConnection();
+$utils->sendSecurityHeaders();
 
 $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.'));
 $para->setAttribute('id', 'jswarning');