Commit a62f38a1 authored by Morris Jobke's avatar Morris Jobke
Browse files

Merge pull request #15225 from...

Merge pull request #15225 from owncloud/make-setups-for-users-that-tend-to-use-owncloud-on-not-proper-machines-a-little-bit-more-secure

Add some generic default headers as well via PHP
parents 880b31c5 9d1ce53c
# Version: 8.1.0 # Version: 8.1.0
<IfModule mod_fcgid.c>
<IfModule mod_setenvif.c>
<IfModule mod_headers.c> <IfModule mod_headers.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 <IfModule mod_fcgid.c>
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION <IfModule mod_setenvif.c>
</IfModule> SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
</IfModule> RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for CSS and JS files
<FilesMatch "\.(css|js)$">
Header set Cache-Control "max-age=7200, public"
</FilesMatch>
</IfModule> </IfModule>
<IfModule mod_php5.c> <IfModule mod_php5.c>
php_value upload_max_filesize 513M php_value upload_max_filesize 513M
...@@ -42,14 +56,5 @@ DirectoryIndex index.php index.html ...@@ -42,14 +56,5 @@ DirectoryIndex index.php index.html
AddDefaultCharset utf-8 AddDefaultCharset utf-8
Options -Indexes Options -Indexes
<IfModule pagespeed_module> <IfModule pagespeed_module>
ModPagespeed Off ModPagespeed Off
</IfModule>
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
<FilesMatch "\.(css|js)$">
Header set Cache-Control "max-age=7200, public"
</FilesMatch>
</IfModule> </IfModule>
...@@ -115,9 +115,9 @@ ...@@ -115,9 +115,9 @@
}; };
for (var header in securityHeaders) { for (var header in securityHeaders) {
if(xhr.getResponseHeader(header) !== securityHeaders[header]) { if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
messages.push( messages.push(
t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}) t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
); );
} }
} }
......
...@@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() { ...@@ -140,7 +140,7 @@ describe('OC.SetupChecks tests', function() {
); );
async.done(function( data, s, x ){ async.done(function( data, s, x ){
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security risk and we recommend adjusting this setting.']); expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.']);
done(); done();
}); });
}); });
...@@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() { ...@@ -155,12 +155,11 @@ describe('OC.SetupChecks tests', function() {
'X-Robots-Tag': 'none', 'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN', 'X-Frame-Options': 'SAMEORIGIN',
'Strict-Transport-Security': '2678400' 'Strict-Transport-Security': '2678400'
} }
); );
async.done(function( data, s, x ){ async.done(function( data, s, x ){
expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security risk and we recommend adjusting this setting.']); expect(data).toEqual(['The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.']);
done(); done();
}); });
}); });
...@@ -202,7 +201,7 @@ describe('OC.SetupChecks tests', function() { ...@@ -202,7 +201,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){ async.done(function( data, s, x ){
expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']); expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']);
done(); done();
}); });
}); });
...@@ -218,7 +217,7 @@ describe('OC.SetupChecks tests', function() { ...@@ -218,7 +217,7 @@ describe('OC.SetupChecks tests', function() {
); );
async.done(function( data, s, x ){ async.done(function( data, s, x ){
expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']); expect(data).toEqual(['Error occurred while checking server setup', 'Error occurred while checking server setup']);
done(); done();
}); });
}); });
...@@ -237,7 +236,7 @@ describe('OC.SetupChecks tests', function() { ...@@ -237,7 +236,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){ async.done(function( data, s, x ){
expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']); expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']);
done(); done();
}); });
}); });
......
...@@ -229,6 +229,15 @@ class OC_Response { ...@@ -229,6 +229,15 @@ class OC_Response {
. 'media-src *; ' . 'media-src *; '
. 'connect-src *'; . 'connect-src *';
header('Content-Security-Policy:' . $policy); header('Content-Security-Policy:' . $policy);
// Send fallback headers for installations that don't have the possibility to send
// custom headers on the webserver side
if(getenv('modHeadersAvailable') !== 'true') {
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
}
} }
} }
...@@ -468,6 +468,7 @@ if ($_['cronErrors']) { ...@@ -468,6 +468,7 @@ if ($_['cronErrors']) {
<li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?></a></li> <li><a target="_blank" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?></a></li>
<li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?></a></li> <li><a target="_blank" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?></a></li>
<li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?></a></li> <li><a target="_blank" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?></a></li>
<li><a target="_blank" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?></a></li>
</ul> </ul>
</div> </div>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment