Looking into the list above I've done some initial research as to what these headers are used for to see if we need to add them
* Strict-Transport-Security - Would need to be turned on for sites running https - Could be problems for sites with 3rd party content - but most of that should be sorted out now - Could be a problem with self-signed certificates * Content-Security-Policy - helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header - deals with restricting script/style/image/ajax/font/object sources - Probably not useful for mahara as we allow the fetching of things via the external media block * X-Frame-Options - currently set to: sameorigin * X-XSS-Protection - The role of this header is to re-enable the filter for this particular website if it was disabled by the user - Deals with reflected XSS vulnerabilities - When set as: X-XSS-Protection: 1; mode=block it will prevent page loading * X-Content-Type-Options - only options at the moment is 'nostiff' - prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type * X-Powered-By - Exposes what php version you are using - You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header. * X-Permitted-Cross-Domain-Policies - setting: 'master-only' Used by Adobe Flash - More info: https://www.perpetual-beta.org/weblog/security-headers.html#rule-8470-2-establish-a-cross-domain-meta-policy - a 2014 example from twitter <?xml version="1.0" encoding="UTF-8"?> <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd";> <allow-access-from domain="twitter.com" /> <allow-access-from domain="api.twitter.com" /> <allow-access-from domain="search.twitter.com" /> <allow-access-from domain="static.twitter.com" /> <site-control permitted-cross-domain-policies="master-only"/> <allow-http-request-headers-from domain="*.twitter.com" headers="*" secure="true"/> </cross-domain-policy> * Caching headers - Currently is like this: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 - other options worth adding: - private - A proxy will not cache a page if it is marked as "private" - no-transform - option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1531987 Title: Review HTTP headers to improve security Status in Mahara: Confirmed Status in Mahara 1.10 series: Confirmed Status in Mahara 15.04 series: Confirmed Status in Mahara 15.10 series: Confirmed Bug description: We need to review our HTTP headers to improve security and check which ones we should include per default and which ones might need to be configurable. The review will include but is not limited to: - Strict-Transport-Security - Content-Security-Policy - X-Frame-Options - X-XSS-Protection - X-Content-Type-Options - Server - X-Powered-By - X-Permitted-Cross-Domain-Policies - Caching headers Initial reports for X-XSS-Protection header by SaifAllah benMassaoud and Zeeshan. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1531987/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
