From b0e48c35c57284bf91bb8b3dc2da4c8a3206617c Mon Sep 17 00:00:00 2001 From: Robert Kaiser Date: Wed, 2 Nov 2016 22:15:06 +0100 Subject: [PATCH] set some security flags recommended by the Mozilla Observatory --- api.php | 1 + authorize.php | 1 + authutils.php-class | 20 ++++++++++++++++++++ index.php | 1 + 4 files changed, 23 insertions(+) diff --git a/api.php b/api.php index b3096d1..f51f201 100644 --- a/api.php +++ b/api.php @@ -11,6 +11,7 @@ require_once(__DIR__.'/authsystem.inc.php'); $errors = $utils->checkForSecureConnection(); +$utils->sendSecurityHeaders(); if (!count($errors)) { // Handle a request to a resource and authenticate the access token diff --git a/authorize.php b/authorize.php index ac0979a..0740e23 100644 --- a/authorize.php +++ b/authorize.php @@ -22,6 +22,7 @@ $title->appendText('Authorization Request | KaiRo.at'); $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server'); $errors = $utils->checkForSecureConnection(); +$utils->sendSecurityHeaders(); $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.')); $para->setAttribute('id', 'jswarning'); diff --git a/authutils.php-class b/authutils.php-class index dc06a7f..9cd000c 100755 --- a/authutils.php-class +++ b/authutils.php-class @@ -107,6 +107,26 @@ class AuthUtils { return $errors; } + function sendSecurityHeaders() { + // Send various headers that we want to have for security resons, mostly as recommended by https://observatory.mozilla.org/ + + // CSP - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy + // Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) from ourselves; also disable framing. + header('Content-Security-Policy: default-src \'none\';img-src \'self\'; script-src \'self\'; style-src \'self\'; frame-ancestors \'none\''); + + // X-Content-Type-Options - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options + // Prevent browsers from incorrectly detecting non-scripts as scripts + header('X-Content-Type-Options: nosniff'); + + // X-Frame-Options (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options + // Block site from being framed + header('X-Frame-Options: DENY'); + + // X-XSS-Protection (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection + // Block pages from loading when they detect reflected XSS attacks + header('X-XSS-Protection: 1; mode=block'); + } + function initSession() { $session = null; if (strlen(@$_COOKIE['sessionkey'])) { diff --git a/index.php b/index.php index 76e11d2..cfe66ec 100644 --- a/index.php +++ b/index.php @@ -18,6 +18,7 @@ $title->appendText('KaiRo.at Authentication Server'); $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server'); $errors = $utils->checkForSecureConnection(); +$utils->sendSecurityHeaders(); $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.')); $para->setAttribute('id', 'jswarning'); -- 2.43.0