Commit ef64adaa authored by Aaron Wells's avatar Aaron Wells Committed by Robert Lyon

Adding some HTTP headers for security (Bug 1531987)

X-XSS-Protection: Tells the browser not to disable XSS protection

X-Content-Type-Options: Tells the browser not to try to guess at
mimetypes of downloads

X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml

X-Powered-By: PHP by default sends this header with the current full
PHP version.

behatnotneeded: Selenium can't examine HTTP response headers

Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
(cherry picked from commit 29656f03)
parent 1c654e04
......@@ -302,6 +302,15 @@ if (!get_config('productionmode')) {
header('Content-type: text/html; charset=UTF-8');
// Security headers. See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('X-Permitted-Cross-Domain-Policies: master-only');
// Don't print precise PHP version as an HTTP header
header_remove('x-powered-by');
// Only do authentication once we know the page theme, so that the login form
// can have the correct theming.
require_once('auth/lib.php');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment