9920: set CSP and STS security header
authorLars Kneschke <l.kneschke@metaways.de>
Tue, 13 May 2014 20:14:07 +0000 (22:14 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Mon, 19 May 2014 11:50:39 +0000 (13:50 +0200)
Change-Id: Ib874952b2a3810815352560b6a3e93b15023d664
Task-Url: https://forge.tine20.org/mantisbt/view.php?id=9920
Reviewed-on: http://gerrit.tine20.com/customers/635
Reviewed-by: Lars Kneschke <l.kneschke@metaways.de>
Tested-by: Jenkins CI (http://ci.tine20.com/)
Tested-by: sstamer <s.stamer@metaways.de>
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
tine20/Tinebase/Frontend/Http.php

index 1843468..84479aa 100644 (file)
@@ -267,9 +267,7 @@ class Tinebase_Frontend_Http extends Tinebase_Frontend_Http_Abstract
     /**
      * set headers for mainscreen
      * 
-     * @todo think about CSP: is only supported by FF atm, which options/exceptions should we choose?
      * @todo allow to configure security headers?
-     * @todo add violation report for CSP? @see https://developer.mozilla.org/en/Security/CSP/Using_CSP_violation_reports
      */
     protected function _setMainscreenHeaders()
     {
@@ -283,9 +281,16 @@ class Tinebase_Frontend_Http extends Tinebase_Frontend_Http_Abstract
         // @see https://developer.mozilla.org/en/the_x-frame-options_response_header
         header('X-Frame-Options: SAMEORIGIN');
         
-        // set X-Content-Security-Policy header against clickjacking and XSS
+        // set Content-Security-Policy header against clickjacking and XSS
         // @see https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives
-        //header("X-Content-Security-Policy: allow 'self' https://*.officespot20.com;");
+        header("Content-Security-Policy: default-src 'self'");
+        header("Content-Security-Policy: script-src 'self' 'unsafe-eval' https://versioncheck.tine20.net");
+        // headers for IE 10+11
+        header("X-Content-Security-Policy: default-src 'self'");
+        header("X-Content-Security-Policy: script-src 'self' 'unsafe-eval' https://versioncheck.tine20.net");
+        
+        // set Strict-Transport-Security; used only when served over HTTPS
+        header('Strict-Transport-Security: max-age=16070400');
         
         // cache mainscreen for 10 minutes
         $maxAge = 600;