aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-01-07 12:47:46 -0800
committerredmatrix <git@macgirvin.com>2016-01-07 12:47:46 -0800
commit100412267ad5d193d2131e3fa89090846267b72d (patch)
tree7450f92cada7860528a1f57e03316b7831239d19
parent761afd029d97703f2f7609d546b7b5f3d257c601 (diff)
downloadvolse-hubzilla-100412267ad5d193d2131e3fa89090846267b72d.tar.gz
volse-hubzilla-100412267ad5d193d2131e3fa89090846267b72d.tar.bz2
volse-hubzilla-100412267ad5d193d2131e3fa89090846267b72d.zip
extra security headers, revert or fix if functionality is blocked
-rwxr-xr-xboot.php15
-rw-r--r--version.inc2
2 files changed, 16 insertions, 1 deletions
diff --git a/boot.php b/boot.php
index 4c2cff09b..152fb426b 100755
--- a/boot.php
+++ b/boot.php
@@ -874,6 +874,11 @@ class App {
}
}
+ function get_scheme() {
+ return $this->scheme;
+ }
+
+
function get_hostname() {
return $this->hostname;
}
@@ -2121,6 +2126,16 @@ function construct_page(&$a) {
$profile = $a->profile;
header("Content-type: text/html; charset=utf-8");
+ if($a->get_scheme() === 'https')
+ header("Strict-Transport-Security: max-age=31536000");
+
+ header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
+
+ if($a->config['system']['x_security_headers']) {
+ header("X-Frame-Options: SAMEORIGIN");
+ header("X-Xss-Protection: 1; mode=block;");
+ header("X-Content-Type-Options: nosniff");
+ }
require_once(theme_include(
((x($a->page, 'template')) ? $a->page['template'] : 'default' ) . '.php' )
diff --git a/version.inc b/version.inc
index be2d3de4a..9846c0954 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2016-01-06.1270H
+2016-01-07.1271H