search

panique / huge

Simple user-authentication solution, embedded into a small framework.
2.14k stars 788 forks source link

[TODO] Improved security headers #821

Open gpa opened 8 years ago

gpa commented 8 years ago

The code is missing some important headers

https://securityheaders.io/?q=http%3A%2F%2F104.131.8.128%2Flogin%2Findex&followRedirects=on

Here's facebook for comparsion: https://securityheaders.io/?q=facebook.com&followRedirects=on and google: https://securityheaders.io/?q=https%3A%2F%2Faccounts.google.com%2FServiceLogin%3Fhl%3Dde%26passive%3Dtrue%26continue%3Dhttp%3A%2F%2Fwww.google.de%2F%253Fgfe_rd%253Dcr%2526ei%253DR7nCV-GEJc3b8AeWoYLwDQ&followRedirects=on

And while not implementing we should mention the importance of SSL in the readme file.

panique commented 8 years ago

Top stuff, thanks! I'll implements this (and other tasks) in the next weeks / asap!

ghost commented 7 years ago

@panique Any plans on adding this? :) I understand you have been extremely busy.

sr-verde commented 7 years ago

To keep the project stable, clean and maintainable, I would kindly announce the "soft-End of Life" for this project, meaning:

A. HUGE will not get any new features in the future, but ... B. bugfixes and corrections will be made, probably for years

CaptainKarma commented 6 years ago

Hi,

Just to help some people out, to fix these errors you want to add this into your .htaccess file.

Please read up on the Content-Security-Policy as you will need to fine tune it for your needs. e.g I use cloudinary and call jquery from googleapis, so needed to add that to enable the scripts to run. An error is thrown in the browser's debug console so they are easy to fix.

Cheers

` Goes into section mod_headers.c

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' www.google-analytics.com .cloudflare.com .googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: .cloudflare.com .cloudinary.com"

Header always set Referrer-Policy "same-origin" Header set X-Content-Type-Options nosniff Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN"

<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> Header unset X-Frame-Options </FilesMatch `

ghost commented 5 years ago

@CaptainKarma or @panique kindly submit a pull request for this.