mirror of
https://github.com/the-djmaze/snappymail.git
synced 2024-09-20 07:35:55 +08:00
Force CSP, X-Frame DENY, no-referrer
Added optional Strict-Transport-Security in _include.php TODO: put them in ./rainloop/v/0.0.0/app/templates/Views/Admin/AdminSettingsSecurity.html
This commit is contained in:
parent
327e6f65cd
commit
2f67fb2196
|
@ -2,13 +2,16 @@
|
|||
|
||||
// Name this file as "include.php" to enable it.
|
||||
|
||||
//\header('Strict-Transport-Security: max-age=31536000');
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
function __get_custom_data_full_path()
|
||||
{
|
||||
return '';
|
||||
return '/var/external-rainloop-data-folder/'; // custom data folder path
|
||||
return dirname(__DIR__) . '/rainloop-data';
|
||||
return '/var/external-rainloop-data-folder'; // custom data folder path
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -19,3 +22,4 @@ function __get_additional_configuration_name()
|
|||
return '';
|
||||
return defined('APP_SITE') && 0 < strlen(APP_SITE) ? APP_SITE.'.ini' : ''; // additional configuration file name
|
||||
}
|
||||
|
||||
|
|
|
@ -169,7 +169,7 @@ class Application extends \RainLoop\Config\AbstractConfig
|
|||
'Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)'),
|
||||
|
||||
'custom_server_signature' => array('RainLoop'),
|
||||
'x_frame_options_header' => array(''),
|
||||
'x_frame_options_header' => array('DENY'),
|
||||
'x_xss_protection_header' => array('1; mode=block'),
|
||||
|
||||
'openpgp' => array(false),
|
||||
|
@ -182,7 +182,7 @@ class Application extends \RainLoop\Config\AbstractConfig
|
|||
'hide_x_mailer_header' => array(true),
|
||||
'admin_panel_host' => array(''),
|
||||
'admin_panel_key' => array('admin'),
|
||||
'content_security_policy' => array(''),
|
||||
'content_security_policy' => array(APP_DEFAULT_CSP),
|
||||
'core_install_access_domain' => array('')
|
||||
),
|
||||
|
||||
|
|
|
@ -38,17 +38,17 @@ class Service
|
|||
\header('Server: '.$sServer, true);
|
||||
}
|
||||
|
||||
$sXFrameOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_frame_options_header', ''));
|
||||
if (0 < \strlen($sXFrameOptionsHeader))
|
||||
{
|
||||
\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
|
||||
}
|
||||
\header('Referrer-Policy: no-referrer');
|
||||
\header('X-Content-Type-Options: nosniff');
|
||||
|
||||
$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', ''));
|
||||
if (0 < \strlen($sXssProtectionOptionsHeader))
|
||||
{
|
||||
\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
|
||||
}
|
||||
$sContentSecurityPolicy = \trim($this->oActions->Config()->Get('security', 'content_security_policy', '')) ?: APP_DEFAULT_CSP;
|
||||
\header('Content-Security-Policy: '.$sContentSecurityPolicy, true);
|
||||
|
||||
$sXFrameOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_frame_options_header', '')) ?: 'DENY';
|
||||
\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
|
||||
|
||||
$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', '')) ?: '1; mode=block';
|
||||
\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
|
||||
|
||||
if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
|
||||
{
|
||||
|
@ -157,9 +157,6 @@ class Service
|
|||
}
|
||||
}
|
||||
|
||||
\header('Content-Security-Policy:');
|
||||
\header_remove('Content-Security-Policy');
|
||||
|
||||
header('Content-Type: text/html; charset=utf-8');
|
||||
$this->oHttp->ServerNoCache();
|
||||
|
||||
|
@ -245,17 +242,17 @@ class Service
|
|||
$sFaviconPngLink = $sFaviconUrl ? $sFaviconUrl : $this->staticPath('apple-touch-icon.png');
|
||||
$sAppleTouchLink = $sFaviconUrl ? '' : $this->staticPath('apple-touch-icon.png');
|
||||
|
||||
$sContentSecurityPolicy = $this->oActions->Config()->Get('security', 'content_security_policy', '');
|
||||
|
||||
$aTemplateParameters = array(
|
||||
'{{BaseAppHeadScriptLink}}' => '',
|
||||
'{{BaseAppBodyScript}}' => '',
|
||||
'{{BaseAppFaviconPngLinkTag}}' => $sFaviconPngLink ? '<link type="image/png" rel="shortcut icon" href="'.$sFaviconPngLink.'" />' : '',
|
||||
'{{BaseAppFaviconTouchLinkTag}}' => $sAppleTouchLink ? '<link type="image/png" rel="apple-touch-icon" href="'.$sAppleTouchLink.'" />' : '',
|
||||
'{{BaseAppMainCssLink}}' => $this->staticPath('css/app'.($bAppCssDebug ? '' : '.min').'.css'),
|
||||
'{{BaseAppThemeCssLink}}' => $this->oActions->ThemeLink($sTheme, $bAdmin),
|
||||
'{{BaseAppPolyfillsScriptLink}}' => '',
|
||||
'{{BaseAppBootScriptLink}}' => $this->staticPath('js/'.($bAppJsDebug ? '' : 'min/').'boot'.($bAppJsDebug ? '' : '.min').'.js'),
|
||||
'{{BaseViewport}}' => $bMobile ? 'width=device-width,initial-scale=1,user-scalable=no' : 'width=950,maximum-scale=2',
|
||||
'{{BaseContentSecurityPolicy}}' => $sContentSecurityPolicy ?
|
||||
'<meta http-equiv="Content-Security-Policy" content="'.$sContentSecurityPolicy.'" />' : '',
|
||||
'{{BaseContentSecurityPolicy}}' => '',
|
||||
'{{BaseDir}}' => false && \in_array($sLanguage, array('ar', 'he', 'ur')) ? 'rtl' : 'ltr',
|
||||
'{{BaseAppManifestLink}}' => $this->staticPath('manifest.json')
|
||||
);
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
<meta name="google" content="notranslate" />
|
||||
<meta name="robots" content="noindex,nofollow,noodp" />
|
||||
<meta name="AppBootData" content='{{RainloopBootData}}' id="app-boot-data" />
|
||||
{{BaseContentSecurityPolicy}}
|
||||
<title></title>
|
||||
{{BaseAppFaviconPngLinkTag}}
|
||||
{{BaseAppFaviconTouchLinkTag}}
|
||||
|
|
|
@ -12,6 +12,9 @@
|
|||
|
||||
define('APP_USE_APC_CACHE', true);
|
||||
|
||||
// "img-src https:" is allowed due to remote images in e-mails
|
||||
define('APP_DEFAULT_CSP', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'");
|
||||
|
||||
if (function_exists('date_default_timezone_set'))
|
||||
{
|
||||
date_default_timezone_set('UTC');
|
||||
|
|
Loading…
Reference in a new issue