From: Robert Kaiser <kairo@kairo.at>
Date: Wed, 2 Nov 2016 21:15:06 +0000 (+0100)
Subject: set some security flags recommended by the Mozilla Observatory
X-Git-Url: https://git-public.kairo.at/?p=authserver.git;a=commitdiff_plain;h=b0e48c35c57284bf91bb8b3dc2da4c8a3206617c

set some security flags recommended by the Mozilla Observatory
---

diff --git a/api.php b/api.php
index b3096d1..f51f201 100644
--- a/api.php
+++ b/api.php
@@ -11,6 +11,7 @@
 require_once(__DIR__.'/authsystem.inc.php');
 
 $errors = $utils->checkForSecureConnection();
+$utils->sendSecurityHeaders();
 
 if (!count($errors)) {
   // Handle a request to a resource and authenticate the access token
diff --git a/authorize.php b/authorize.php
index ac0979a..0740e23 100644
--- a/authorize.php
+++ b/authorize.php
@@ -22,6 +22,7 @@ $title->appendText('Authorization Request | KaiRo.at');
 $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server');
 
 $errors = $utils->checkForSecureConnection();
+$utils->sendSecurityHeaders();
 
 $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.'));
 $para->setAttribute('id', 'jswarning');
diff --git a/authutils.php-class b/authutils.php-class
index dc06a7f..9cd000c 100755
--- a/authutils.php-class
+++ b/authutils.php-class
@@ -107,6 +107,26 @@ class AuthUtils {
     return $errors;
   }
 
+  function sendSecurityHeaders() {
+    // Send various headers that we want to have for security resons, mostly as recommended by https://observatory.mozilla.org/
+
+    // CSP - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
+    // Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) from ourselves; also disable framing.
+    header('Content-Security-Policy: default-src \'none\';img-src \'self\'; script-src \'self\'; style-src \'self\'; frame-ancestors \'none\'');
+
+    // X-Content-Type-Options - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options
+    // Prevent browsers from incorrectly detecting non-scripts as scripts
+    header('X-Content-Type-Options: nosniff');
+
+    // X-Frame-Options (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options
+    // Block site from being framed
+    header('X-Frame-Options: DENY');
+
+    // X-XSS-Protection (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection
+    // Block pages from loading when they detect reflected XSS attacks
+    header('X-XSS-Protection: 1; mode=block');
+  }
+
   function initSession() {
     $session = null;
     if (strlen(@$_COOKIE['sessionkey'])) {
diff --git a/index.php b/index.php
index 76e11d2..cfe66ec 100644
--- a/index.php
+++ b/index.php
@@ -18,6 +18,7 @@ $title->appendText('KaiRo.at Authentication Server');
 $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server');
 
 $errors = $utils->checkForSecureConnection();
+$utils->sendSecurityHeaders();
 
 $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.'));
 $para->setAttribute('id', 'jswarning');