nextcloud
/
server
mirror of https://github.com/nextcloud/server
0
0
Fork 0
Code Issues Releases Wiki Activity

adding X-Robots-Tag to all responses of ownCloud + move addSecurityHeaders() to OC_Response, which seems to be a more reasonable place

This commit is contained in:
Thomas Müller 2014-05-12 15:14:01 +02:00
parent 9a9665f361
commit 3cd32dcb7c
2 changed files with 33 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/base.php
View File

@ -212,34 +212,6 @@ class OC {
}
}
/*
* This function adds some security related headers to all requests served via base.php
* The implementation of this function has to happen here to ensure that all third-party
* components (e.g. SabreDAV) also benefit from this headers.
*/
public static function addSecurityHeaders() {
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
// iFrame Restriction Policy
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
if($xFramePolicy) {
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
}
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',
'default-src \'self\'; '
.'script-src \'self\' \'unsafe-eval\'; '
.'style-src \'self\' \'unsafe-inline\'; '
.'frame-src *; '
.'img-src *; '
.'font-src \'self\' data:; '
.'media-src *');
header('Content-Security-Policy:'.$policy);
}
public static function checkSSL() {
// redirect to https site if configured
if (OC_Config::getValue("forcessl", false)) {
@ -545,7 +517,7 @@ class OC {
self::checkConfig();
self::checkInstalled();
self::checkSSL();
self::addSecurityHeaders();
OC_Response::addSecurityHeaders();
$errors = OC_Util::checkServer();
if (count($errors) > 0) {

32
lib/private/response.php
View File

@ -186,4 +186,36 @@ class OC_Response {
self::setStatus(self::STATUS_NOT_FOUND);
}
}
/*
* This function adds some security related headers to all requests served via base.php
* The implementation of this function has to happen here to ensure that all third-party
* components (e.g. SabreDAV) also benefit from this headers.
*/
public static function addSecurityHeaders() {
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
// iFrame Restriction Policy
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
if ($xFramePolicy) {
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
}
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',
'default-src \'self\'; '
. 'script-src \'self\' \'unsafe-eval\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src *; '
. 'font-src \'self\' data:; '
. 'media-src *');
header('Content-Security-Policy:' . $policy);
// https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
header('X-Robots-Tag: none');
}
}