Qustion/Feature request: Http security headers

getgrav / grav

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony

https://getgrav.org

MIT License

14.59k stars 1.41k forks source link

Qustion/Feature request: Http security headers #2288

Open Rotzbua opened 5 years ago

Rotzbua commented 5 years ago

Hi, I tried grav for a new website.

I am glad to see that you offer a xss plugin but why you do not use xss protection on client side? There are several http headers which enable security features in modern browsers, e.g. X-XSS-Protection.

So some questions:

Why are no security headers used by grav?
Does grav provide a method to set custom http headers?
Should some security headers added (pull request) to grav?

Test: https://securityheaders.com/?q=https%3A%2F%2Fgetgrav.org%2F

rhukster commented 5 years ago

Aren't most security headers configured and set in your web-server? Anyway you can easily create a plugin that dynamically adds any header you like.