Issue 3700: Security and Privacy related Headers

diff --git a/doc/htconfig.md b/doc/htconfig.md
index aeb0c920227b863afe92224140fc37f43ed5a5f4..dd7ab8047ce748fa8f23fb1987276da96a564cdc 100644 (file)
--- a/doc/htconfig.md
+++ b/doc/htconfig.md
@@ -44,6 +44,7 @@ Example: To set the directory value please add this line to your .htconfig.php:
 * **dlogfile - location of the developer log file
 * **event_input_format** - Default value is "ymd".
 * **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10.
+* **hsts** (Boolean) - Enables the sending of HTTP Strict Transport Security headers
 * **ignore_cache** (Boolean) - For development only. Disables the item cache.
 * **like_no_comment** (Boolean) - Don't update the "commented" value of an item when it is liked.
 * **local_block** (Boolean) - Used in conjunction with "block_public".

diff --git a/include/session.php b/include/session.php
index 5194e7ef0e901472677693b2f0b0330df4f8573d..af871b28a1d8467b9ebb4f87ad1131f4cf424804 100644 (file)
--- a/include/session.php
+++ b/include/session.php
@@ -2,6 +2,8 @@
 // Session management functions. These provide database storage of PHP
 // session info.
 
+use Friendica\Core\Config;
+
 require_once('include/cache.php');
 
 $session_exists = 0;
@@ -114,6 +116,10 @@ ini_set('session.gc_probability', $gc_probability);
 ini_set('session.use_only_cookies', 1);
 ini_set('session.cookie_httponly', 1);
 
+if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL) {
+       ini_set('session.cookie_secure', 1);
+}
+
 if (!get_config('system', 'disable_database_session')) {
        session_set_save_handler('ref_session_open', 'ref_session_close',
                                'ref_session_read', 'ref_session_write',

diff --git a/index.php b/index.php
index 5b4cea756b3d68964ad67a0c2f30157c4883b93a..d3d2e42ae6a7c8e088be411c896e644764d8c816 100644 (file)
--- a/index.php
+++ b/index.php
@@ -489,6 +489,19 @@ $profile = $a->profile;
 header("X-Friendica-Version: " . FRIENDICA_VERSION);
 header("Content-type: text/html; charset=utf-8");
 
+if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) {
+       header("Strict-Transport-Security: max-age=31536000");
+}
+
+// Some security stuff
+header('X-Content-Type-Options: nosniff');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Permitted-Cross-Domain-Policies: none');
+header('X-Frame-Options: sameorigin');
+
+// Things like embedded OSM maps don't work, when this is enabled
+// header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'");
+
 /*
  * We use $_GET["mode"] for special page templates. So we will check if we have
  * to load another page template than the default one.