BryanDavis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/165692
Change subject: Add headers to make attacking the site harder
......................................................................
Add headers to make attacking the site harder
Add httponly flag to session cookie and X-Frame-Options,
Content-Security-Policy and Content-Type header with default charset.
These are all easy measures to help protect against XSS and exfiltration
attacks.
Bug: 71624
Change-Id: Ie89c5a9ac914d7c62d358cfa9379766bdc467af8
---
M src/App.php
1 file changed, 7 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/wikimedia/iegreview
refs/changes/92/165692/1
diff --git a/src/App.php b/src/App.php
index 3f6a133..5d34bc1 100644
--- a/src/App.php
+++ b/src/App.php
@@ -128,6 +128,7 @@
public function run () {
session_name( '_s' );
session_cache_limiter( false );
+ ini_set( 'session.cookie_httponly', true );
session_start();
register_shutdown_function( 'session_write_close' );
$this->slim->run();
@@ -280,6 +281,12 @@
// Add a Vary: Cookie header to all responses
$headerMiddleware = new HeaderMiddleware( array(
'Vary' => 'Cookie',
+ 'X-Frame-Options' => 'DENY',
+ 'Content-Security-Policy' =>
+ "default-src 'self'; frame-src 'none';
object-src 'none'",
+ // Don't forget to override this for any content that
is not
+ // actually HTML (e.g. json)
+ 'Content-Type' => 'text/html; charset=UTF-8',
) );
$slim->add( $headerMiddleware );
// Add CSRF protection
--
To view, visit https://gerrit.wikimedia.org/r/165692
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie89c5a9ac914d7c62d358cfa9379766bdc467af8
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/iegreview
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
