mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Force CSP, X-Frame DENY, no-referrer
Added optional Strict-Transport-Security in _include.php TODO: put them in ./rainloop/v/0.0.0/app/templates/Views/Admin/AdminSettingsSecurity.html
This commit is contained in:
parent
327e6f65cd
commit
2f67fb2196
5 changed files with 24 additions and 21 deletions
|
|
@ -2,13 +2,16 @@
|
||||||
|
|
||||||
// Name this file as "include.php" to enable it.
|
// Name this file as "include.php" to enable it.
|
||||||
|
|
||||||
|
//\header('Strict-Transport-Security: max-age=31536000');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
function __get_custom_data_full_path()
|
function __get_custom_data_full_path()
|
||||||
{
|
{
|
||||||
return '';
|
return '';
|
||||||
return '/var/external-rainloop-data-folder/'; // custom data folder path
|
return dirname(__DIR__) . '/rainloop-data';
|
||||||
|
return '/var/external-rainloop-data-folder'; // custom data folder path
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -19,3 +22,4 @@ function __get_additional_configuration_name()
|
||||||
return '';
|
return '';
|
||||||
return defined('APP_SITE') && 0 < strlen(APP_SITE) ? APP_SITE.'.ini' : ''; // additional configuration file name
|
return defined('APP_SITE') && 0 < strlen(APP_SITE) ? APP_SITE.'.ini' : ''; // additional configuration file name
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -169,7 +169,7 @@ class Application extends \RainLoop\Config\AbstractConfig
|
||||||
'Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)'),
|
'Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)'),
|
||||||
|
|
||||||
'custom_server_signature' => array('RainLoop'),
|
'custom_server_signature' => array('RainLoop'),
|
||||||
'x_frame_options_header' => array(''),
|
'x_frame_options_header' => array('DENY'),
|
||||||
'x_xss_protection_header' => array('1; mode=block'),
|
'x_xss_protection_header' => array('1; mode=block'),
|
||||||
|
|
||||||
'openpgp' => array(false),
|
'openpgp' => array(false),
|
||||||
|
|
@ -182,7 +182,7 @@ class Application extends \RainLoop\Config\AbstractConfig
|
||||||
'hide_x_mailer_header' => array(true),
|
'hide_x_mailer_header' => array(true),
|
||||||
'admin_panel_host' => array(''),
|
'admin_panel_host' => array(''),
|
||||||
'admin_panel_key' => array('admin'),
|
'admin_panel_key' => array('admin'),
|
||||||
'content_security_policy' => array(''),
|
'content_security_policy' => array(APP_DEFAULT_CSP),
|
||||||
'core_install_access_domain' => array('')
|
'core_install_access_domain' => array('')
|
||||||
),
|
),
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -38,17 +38,17 @@ class Service
|
||||||
\header('Server: '.$sServer, true);
|
\header('Server: '.$sServer, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
$sXFrameOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_frame_options_header', ''));
|
\header('Referrer-Policy: no-referrer');
|
||||||
if (0 < \strlen($sXFrameOptionsHeader))
|
\header('X-Content-Type-Options: nosniff');
|
||||||
{
|
|
||||||
\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', ''));
|
$sContentSecurityPolicy = \trim($this->oActions->Config()->Get('security', 'content_security_policy', '')) ?: APP_DEFAULT_CSP;
|
||||||
if (0 < \strlen($sXssProtectionOptionsHeader))
|
\header('Content-Security-Policy: '.$sContentSecurityPolicy, true);
|
||||||
{
|
|
||||||
\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
|
$sXFrameOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_frame_options_header', '')) ?: 'DENY';
|
||||||
}
|
\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
|
||||||
|
|
||||||
|
$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', '')) ?: '1; mode=block';
|
||||||
|
\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
|
||||||
|
|
||||||
if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
|
if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
|
||||||
{
|
{
|
||||||
|
|
@ -157,9 +157,6 @@ class Service
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
\header('Content-Security-Policy:');
|
|
||||||
\header_remove('Content-Security-Policy');
|
|
||||||
|
|
||||||
header('Content-Type: text/html; charset=utf-8');
|
header('Content-Type: text/html; charset=utf-8');
|
||||||
$this->oHttp->ServerNoCache();
|
$this->oHttp->ServerNoCache();
|
||||||
|
|
||||||
|
|
@ -245,17 +242,17 @@ class Service
|
||||||
$sFaviconPngLink = $sFaviconUrl ? $sFaviconUrl : $this->staticPath('apple-touch-icon.png');
|
$sFaviconPngLink = $sFaviconUrl ? $sFaviconUrl : $this->staticPath('apple-touch-icon.png');
|
||||||
$sAppleTouchLink = $sFaviconUrl ? '' : $this->staticPath('apple-touch-icon.png');
|
$sAppleTouchLink = $sFaviconUrl ? '' : $this->staticPath('apple-touch-icon.png');
|
||||||
|
|
||||||
$sContentSecurityPolicy = $this->oActions->Config()->Get('security', 'content_security_policy', '');
|
|
||||||
|
|
||||||
$aTemplateParameters = array(
|
$aTemplateParameters = array(
|
||||||
|
'{{BaseAppHeadScriptLink}}' => '',
|
||||||
|
'{{BaseAppBodyScript}}' => '',
|
||||||
'{{BaseAppFaviconPngLinkTag}}' => $sFaviconPngLink ? '<link type="image/png" rel="shortcut icon" href="'.$sFaviconPngLink.'" />' : '',
|
'{{BaseAppFaviconPngLinkTag}}' => $sFaviconPngLink ? '<link type="image/png" rel="shortcut icon" href="'.$sFaviconPngLink.'" />' : '',
|
||||||
'{{BaseAppFaviconTouchLinkTag}}' => $sAppleTouchLink ? '<link type="image/png" rel="apple-touch-icon" href="'.$sAppleTouchLink.'" />' : '',
|
'{{BaseAppFaviconTouchLinkTag}}' => $sAppleTouchLink ? '<link type="image/png" rel="apple-touch-icon" href="'.$sAppleTouchLink.'" />' : '',
|
||||||
'{{BaseAppMainCssLink}}' => $this->staticPath('css/app'.($bAppCssDebug ? '' : '.min').'.css'),
|
'{{BaseAppMainCssLink}}' => $this->staticPath('css/app'.($bAppCssDebug ? '' : '.min').'.css'),
|
||||||
'{{BaseAppThemeCssLink}}' => $this->oActions->ThemeLink($sTheme, $bAdmin),
|
'{{BaseAppThemeCssLink}}' => $this->oActions->ThemeLink($sTheme, $bAdmin),
|
||||||
|
'{{BaseAppPolyfillsScriptLink}}' => '',
|
||||||
'{{BaseAppBootScriptLink}}' => $this->staticPath('js/'.($bAppJsDebug ? '' : 'min/').'boot'.($bAppJsDebug ? '' : '.min').'.js'),
|
'{{BaseAppBootScriptLink}}' => $this->staticPath('js/'.($bAppJsDebug ? '' : 'min/').'boot'.($bAppJsDebug ? '' : '.min').'.js'),
|
||||||
'{{BaseViewport}}' => $bMobile ? 'width=device-width,initial-scale=1,user-scalable=no' : 'width=950,maximum-scale=2',
|
'{{BaseViewport}}' => $bMobile ? 'width=device-width,initial-scale=1,user-scalable=no' : 'width=950,maximum-scale=2',
|
||||||
'{{BaseContentSecurityPolicy}}' => $sContentSecurityPolicy ?
|
'{{BaseContentSecurityPolicy}}' => '',
|
||||||
'<meta http-equiv="Content-Security-Policy" content="'.$sContentSecurityPolicy.'" />' : '',
|
|
||||||
'{{BaseDir}}' => false && \in_array($sLanguage, array('ar', 'he', 'ur')) ? 'rtl' : 'ltr',
|
'{{BaseDir}}' => false && \in_array($sLanguage, array('ar', 'he', 'ur')) ? 'rtl' : 'ltr',
|
||||||
'{{BaseAppManifestLink}}' => $this->staticPath('manifest.json')
|
'{{BaseAppManifestLink}}' => $this->staticPath('manifest.json')
|
||||||
);
|
);
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,6 @@
|
||||||
<meta name="google" content="notranslate" />
|
<meta name="google" content="notranslate" />
|
||||||
<meta name="robots" content="noindex,nofollow,noodp" />
|
<meta name="robots" content="noindex,nofollow,noodp" />
|
||||||
<meta name="AppBootData" content='{{RainloopBootData}}' id="app-boot-data" />
|
<meta name="AppBootData" content='{{RainloopBootData}}' id="app-boot-data" />
|
||||||
{{BaseContentSecurityPolicy}}
|
|
||||||
<title></title>
|
<title></title>
|
||||||
{{BaseAppFaviconPngLinkTag}}
|
{{BaseAppFaviconPngLinkTag}}
|
||||||
{{BaseAppFaviconTouchLinkTag}}
|
{{BaseAppFaviconTouchLinkTag}}
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,9 @@
|
||||||
|
|
||||||
define('APP_USE_APC_CACHE', true);
|
define('APP_USE_APC_CACHE', true);
|
||||||
|
|
||||||
|
// "img-src https:" is allowed due to remote images in e-mails
|
||||||
|
define('APP_DEFAULT_CSP', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'");
|
||||||
|
|
||||||
if (function_exists('date_default_timezone_set'))
|
if (function_exists('date_default_timezone_set'))
|
||||||
{
|
{
|
||||||
date_default_timezone_set('UTC');
|
date_default_timezone_set('UTC');
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue