Added security related HTTP - header for browser which support this (non supporting browsers will just ignore it and everything is fine)

Signed-off-by: Florian Aders (EleRas) <eleras@froxlor.org>
2011-06-16 20:17:44 +02:00
parent cc26584f01
commit 3800f31823
1 changed files with 23 additions and 3 deletions
--- a/lib/init.php
+++ b/lib/init.php
@@ -17,11 +17,31 @@
 *
 */

-// prevent Froxlor pages from being cached
+header("Content-Type: text/html; charset=iso-8859-1");

-header("Cache-Control: no-cache, must-revalidate");
+// prevent Froxlor pages from being cached
+header("Cache-Control: no-store, no-cache, must-revalidate");
 header("Pragma: no-cache");
-header("Content-type: text/html; charset=iso-8859-1");
+header('Last-Modified: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time()));
+header('Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time()));
+
+// Prevent inline - JS to be executed (i.e. XSS) in browsers which support this,
+// Inline-JS is no longer allowed and used
+// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
+header("X-Content-Security-Policy: allow 'self'; frame-ancestors 'none'");
+
+// Don't allow to load Froxlor in an iframe to prevent i.e. clickjacking
+header('X-Frame-Options: DENY');
+
+// If Froxlor was called via HTTPS -> enforce it for the next time
+if(isset( $_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off' ))
+{
+	header('Strict-Transport-Security: max-age=500');
+}
+
+// Internet Explorer shall not guess the Content-Type, see:
+// http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+header('X-Content-Type-Options: nosniff' );

 // ensure that default timezone is set
 if(function_exists("date_default_timezone_set") && function_exists("date_default_timezone_get"))