introducing CSP header to mitigate XSS attacks, closes #10

2016-08-09 14:46:32 +02:00
parent a28aebae7d
commit addb666a23
11 changed files with 75 additions and 18 deletions
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -51,6 +51,7 @@ class Configuration
            'languagedefault' => '',
            'urlshortener' => '',
            'vizhash' => true,
+            'cspheader' => 'default-src \'none\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\';',
            'zerobincompatibility' => false,
        ),
        'expire' => array(
--- a/lib/PrivateBin.php
+++ b/lib/PrivateBin.php
@@ -402,6 +402,7 @@ class PrivateBin
        header('Expires: ' . $time);
        header('Last-Modified: ' . $time);
        header('Vary: Accept');
+        header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));

        // label all the expiration options
        $expire = array();