Friendica/friendica
Friendica/friendica
1
0
Fork 1
mirror of https://git.friendi.ca/friendica/friendica.git synced 2025-06-07 22:05:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Issue 3700: Security and Privacy related Headers

Browse source
This commit is contained in:
Michael 2017-09-14 05:40:23 +00:00
parent cf6874cffc
commit 7a3bb02f11
3 changed files with 20 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
index.php
View file

@ -489,6 +489,19 @@ $profile = $a->profile;
header("X-Friendica-Version: " . FRIENDICA_VERSION);
header("Content-type: text/html; charset=utf-8");
if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) {
header("Strict-Transport-Security: max-age=31536000");
}
// Some security stuff
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
header('X-Permitted-Cross-Domain-Policies: none');
header('X-Frame-Options: sameorigin');
// Things like embedded OSM maps don't work, when this is enabled
// header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'");
/*
* We use $_GET["mode"] for special page templates. So we will check if we have
* to load another page template than the default one.