diff options
| author | Haakon Meland Eriksen <haakon.eriksen@far.no> | 2016-01-09 18:47:52 +0100 |
|---|---|---|
| committer | Haakon Meland Eriksen <haakon.eriksen@far.no> | 2016-01-09 18:47:52 +0100 |
| commit | 41057ac3642ea8c7126cc980be5d896b8b6ff7c3 (patch) | |
| tree | 4ab491a65da69c4deb81693f899b9550f5bee010 /boot.php | |
| parent | bfe8e1e2e945c49fc1dd9e65279c32ce3be8ff14 (diff) | |
| parent | 1c982315dd2d1886432eaece7c7ccb8d385640ae (diff) | |
| download | volse-hubzilla-41057ac3642ea8c7126cc980be5d896b8b6ff7c3.tar.gz volse-hubzilla-41057ac3642ea8c7126cc980be5d896b8b6ff7c3.tar.bz2 volse-hubzilla-41057ac3642ea8c7126cc980be5d896b8b6ff7c3.zip | |
Merge remote-tracking branch 'upstream/master'
Diffstat (limited to 'boot.php')
| -rwxr-xr-x | boot.php | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -874,6 +874,11 @@ class App { } } + function get_scheme() { + return $this->scheme; + } + + function get_hostname() { return $this->hostname; } @@ -2122,6 +2127,23 @@ function construct_page(&$a) { header("Content-type: text/html; charset=utf-8"); + // security headers - see https://securityheaders.io + + if($a->get_scheme() === 'https') + header("Strict-Transport-Security: max-age=31536000"); + + header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); + + if($a->config['system']['x_security_headers']) { + header("X-Frame-Options: SAMEORIGIN"); + header("X-Xss-Protection: 1; mode=block;"); + header("X-Content-Type-Options: nosniff"); + } + + if($a->config['system']['public_key_pins']) { + header("Public-Key-Pins: " . $a->config['system']['public_key_pins']); + } + require_once(theme_include( ((x($a->page, 'template')) ? $a->page['template'] : 'default' ) . '.php' ) ); |