1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448: 449: 450: 451: 452: 453: 454: 455: 456: 457: 458: 459: 460: 461: 462: 463: 464: 465: 466: 467: 468: 469: 470: 471: 472: 473: 474: 475: 476: 477: 478: 479: 480: 481: 482: 483: 484: 485: 486: 487: 488: 489: 490: 491: 492: 493: 494: 495: 496: 497: 498: 499: 500: 501: 502: 503: 504: 505: 506: 507: 508: 509: 510: 511: 512: 513: 514: 515: 516: 517: 518: 519: 520: 521: 522: 523: 524: 525: 526: 527: 528: 529: 530: 531: 532: 533: 534: 535: 536: 537: 538: 539: 540: 541: 542: 543: 544: 545: 546: 547: 548: 549: 550: 551: 552: 553: 554: 555: 556: 557: 558: 559: 560: 561: 562: 563: 564: 565: 566: 567: 568: 569: 570: 571: 572: 573: 574: 575: 576: 577: 578: 579: 580: 581: 582: 583: 584: 585: 586: 587: 588: 589: 590: 591: 592: 593: 594: 595: 596: 597: 598: 599: 600: 601: 602: 603: 604: 605: 606: 607: 608: 609: 610: 611: 612: 613: 614: 615: 616: 617: 618: 619: 620: 621: 622: 623: 624: 625: 626: 627: 628: 629: 630: 631: 632: 633: 634: 635: 636: 637: 638: 639: 640: 641: 642: 643: 644: 645: 646: 647: 648: 649: 650: 651: 652: 653: 654: 655: 656: 657: 658: 659: 660: 661: 662: 663: 664: 665: 666: 667: 668: 669: 670: 671: 672: 673: 674: 675: 676: 677: 678: 679: 680: 681: 682: 683: 684: 685: 686: 687: 688: 689: 690: 691: 692: 693: 694: 695: 696: 697: 698: 699: 700: 701: 702: 703: 704: 705: 706: 707: 708: 709: 710: 711: 712: 713: 714: 715: 716:
<?php
$plugin_is_filter = 9 | CLASS_PLUGIN;
$plugin_description = gettext('A plugin to enable basic usage of various security related HTTP response headers for the frontend. <p class="warningbox">Caution: Misconfiguration may break your site.</p>');
$plugin_author = 'Malte Müller (acrylian)';
$plugin_category = gettext('security');
$option_interface = 'securityheadersOptions';
zp_register_filter('theme_headers', 'securityHeaders::setHeaders');
class securityheadersOptions {
function __construct() {
setOptionDefault('securityheaders_csp', 1);
setOptionDefault('securityheaders_csp_frameancestors', 1);
setOptionDefault('securityheaders_csp_blockallmixedcontent', 1);
setOptionDefault('securityheaders_xframeoptions', 'deny');
setOptionDefault('securityheaders_xxssprotection_enable', 1);
setOptionDefault('securityheaders_referrerpolicy', 'same-origin');
}
function getOptionsSupported() {
$options = array(
'Content-Security-Policy Note' => array(
'key' => 'securityheaders_csp_note1',
'type' => OPTION_TYPE_NOTE,
'order' => 0,
'desc' => '<h2>Content-Security-Policy</h2>'
. '<p>' . gettext('The Content-Security-Policy header allows you to control which resourcess browsers are allowed to load. For detailed info please see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy</a>.') . '</p>'
. '<p>' . gettext('Use the Report-Only option to test before setting directives live. Review your browser log/console for block reports.') . '</p>'
),
'Content-Security-Policy' => array(
'key' => 'securityheaders_csp',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 2,
'desc' => gettext('Enable or disable the Content-Security-Policy.')
),
'Content-Security-Policy-Report-Only' => array(
'key' => 'securityheaders_csp_reportonly',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 2,
'desc' => gettext('Set the Content-Security-Policy header to report mode but not actually block anything.')
),
'Content-Security-Policy: default-src' => array(
'key' => 'securityheaders_csp_defaultsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_defaultsrc'),
'order' => 2,
'desc' => '<p>' . gettext('Fallback directive for all <em>*-src</em> fetch directives.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src', true)
),
'Content-Security-Policy: default-src - host-source' => array(
'key' => 'securityheaders_csp_defaultsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 2,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: connect-src' => array(
'key' => 'securityheaders_csp_connectsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_connectsrc'),
'order' => 3,
'desc' => '<p>' . gettext('Allowed sources for loading script interfaces.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src', true)
),
'Content-Security-Policy: connect-src - host-source' => array(
'key' => 'securityheaders_csp_connectsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 3,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: font-src' => array(
'key' => 'securityheaders_csp_fontsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_fontsrc'),
'order' => 4,
'desc' => '<p>' . gettext('Allowed sources for font loading.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-srcy', true)
),
'Content-Security-Policy: font-src - host-source' => array(
'key' => 'securityheaders_csp_fontsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 4,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: frame-src' => array(
'key' => 'securityheaders_csp_framesrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_framesrc'),
'order' => 5,
'desc' => '<p>' . gettext('Allowed sources for frames.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src', true)
),
'Content-Security-Policy: frame-src - host-source' => array(
'key' => 'securityheaders_csp_framesrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 5,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: img-src' => array(
'key' => 'securityheaders_csp_imgsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_imgsrc'),
'order' => 6,
'desc' => '<p>' . gettext('Allowed sources for images.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src', true)
),
'Content-Security-Policy: img-src - host-source' => array(
'key' => 'securityheaders_csp_imgsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 6,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: manifest-src' => array(
'key' => 'securityheaders_csp_manifestsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_manifestsrc'),
'order' => 7,
'desc' => '<p>' . gettext('Allowed sources for application manifest files.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src', true)
),
'Content-Security-Policy: manifest-src - host-source' => array(
'key' => 'securityheaders_csp_manifestsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 7,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: media-src' => array(
'key' => 'securityheaders_csp_mediasrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_mediasrc'),
'order' => 9,
'desc' => '<p>' . gettext('Allowed sources for video and audio.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src', true)
),
'Content-Security-Policy: media-src - host-source' => array(
'key' => 'securityheaders_csp_mediasrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 9,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: object-src' => array(
'key' => 'securityheaders_csp_objectsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_objectsrc'),
'order' => 10,
'desc' => '<p>' . gettext('Allowed sources for object, embed and applet usage') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src', true)
),
'Content-Security-Policy: object-src - host-source' => array(
'key' => 'securityheaders_csp_objectsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 10,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: script-src' => array(
'key' => 'securityheaders_csp_scriptsrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_scriptsrc'),
'order' => 11,
'desc' => '<p>' . gettext('Allowed sources for JavaScript.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src', true)
),
'Content-Security-Policy: script-src - host-source' => array(
'key' => 'securityheaders_csp_scriptsrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 11,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: style-src' => array(
'key' => 'securityheaders_csp_stylesrc',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_stylesrc'),
'order' => 12,
'desc' => '<p>' . gettext('Allowed sources for CSS.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src', true)
),
'Content-Security-Policy: style-src - host-source' => array(
'key' => 'securityheaders_csp_stylesrc_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 12,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: base-uri' => array(
'key' => 'securityheaders_csp_baseuri',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_baseuri'),
'order' => 13,
'desc' => '<p>' . gettext('Restrict the base URI of the document.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri')
),
'Content-Security-Policy: base-uri - host-source' => array(
'key' => 'securityheaders_csp_baseuri_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 13,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: plugin-types' => array(
'key' => 'securityheaders_csp_plugintypes',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecuritytPolicyPluginTypes(),
'order' => 14,
'desc' => '<p>' . gettext('Restricts specific plugin types a browser is allowed to load (e.g. Java Applets, Flash videos etc.) if the object-src directive is set to "none".') . '</p>' . self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types')
),
'Content-Security-Policy: sandbox' => array(
'key' => 'securityheaders_csp_sandbox',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicySandboxSources(),
'order' => 15,
'desc' => '<p>' . gettext('Enables sandbox for the requested source.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox')
),
'Content-Security-Policy: form-action' => array(
'key' => 'securityheaders_csp_formaction',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFetchSources('securityheaders_csp_formaction'),
'order' => 16,
'desc' => '<p>' . gettext('Restricts target URLs for form actions.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action', true)
),
'Content-Security-Policy: form-action - host-source' => array(
'key' => 'securityheaders_csp_formaction_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 16,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: frame-ancestors' => array(
'key' => 'securityheaders_csp_frameancestors',
'type' => OPTION_TYPE_CHECKBOX_UL,
'checkboxes' => self::getContentSecurityPolicyFrameAncestorsSources(),
'order' => 17,
'desc' => '<p>' . gettext('Specifices parents for frame, iframe, object, embed and applet. Helps prevent clickjacking and the site being loaded within other sites.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors')
),
'Content-Security-Policy: frame-ancestors - host-source' => array(
'key' => 'securityheaders_csp_frameancestors_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 17,
'desc' => self::getCOntentSecurityPolicyHostSourceDoc()
),
'Content-Security-Policy: block-all-mixed-content' => array(
'key' => 'securityheaders_csp_blockallmixedcontent',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 18,
'desc' => '<p>' . gettext('Prevents http content being loaded if the site is in https mode.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content')
),
'Content-Security-Policy: upgrade-insecure-requests' => array(
'key' => 'securityheaders_csp_upgradeinsecurerequests',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 19,
'desc' => '<p>' . gettext('Instructs the browser to treat insecure http URLs like https ones.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests')
),
'Strict-Transport-Security Note' => array(
'key' => 'securityheaders_hsts_note',
'type' => OPTION_TYPE_NOTE,
'order' => 26,
'desc' => gettext('<h2>Strict-Transport-Security</h2><hr>')
),
'Strict-Transport-Security: max-age' => array(
'key' => 'securityheaders_hsts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 27,
'desc' => '<p>' . gettext('Enter the max age in seconds. Instructs the browser that the site should be accessed via https only') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security')
),
'Strict-Transport-Security - includeSubdomains' => array(
'key' => 'securityheaders_hsts_includesubdomains',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 28,
'desc' => '<p>' . gettext('Optional to include sub domains')
),
'Strict-Transport-Security - preload' => array(
'key' => 'securityheaders_hsts_preload',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 29,
'desc' => '<p>' . gettext('Optional')
),
'Other note' => array(
'key' => 'securityheaders_others_note',
'type' => OPTION_TYPE_NOTE,
'order' => 30,
'desc' => gettext('<h2>Other headers</h2><hr>')
),
'X-Frame-Options' => array(
'key' => 'securityheaders_xframeoptions',
'type' => OPTION_TYPE_RADIO,
'buttons' => self::getXframeSources(),
'order' => 30,
'desc' => '<p>' . gettext('Legacy header for old browsers replaced by Content-Security-Policy: frame-ancestors') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options')
),
'X-Frame-Options - allow-from hosts' => array(
'key' => 'securityheaders_csp_frameancestors_hosts',
'type' => OPTION_TYPE_TEXTBOX,
'order' => 30,
'desc' => gettext('Enter one or more domains if allow-from is selected above.')
),
'X-Content-Type-Options: nosniff' => array(
'key' => 'securityheaders_xcontentnosniff',
'type' => OPTION_TYPE_CHECKBOX,
'order' => 31,
'desc' => '<p>' . gettext('Opt-out for MIME type sniffing.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options')
),
'X-XSS-Protection' => array(
'key' => 'securityheaders_xxssprotection',
'type' => OPTION_TYPE_CHECKBOX_ARRAY,
'checkboxes' => array(
gettext('Enable') => 'securityheaders_xxssprotection_enable',
'mode=block' . ' ' . gettext('(Optional)') => 'securityheaders_xxssprotection_modeblock'
),
'order' => 32,
'desc' => '<p>' . gettext('Legacy header for old browsers to protect against cross-site-scripting attacks.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection')
),
'Referrer-Policy' => array(
'key' => 'securityheaders_referrerpolicy',
'type' => OPTION_TYPE_SELECTOR,
'order' => 33,
'selections' => array(
gettext('disabled') => 'disabled',
'no-referrer' => 'no-referrer',
'no-referrer-when-downgrade' => 'no-referrer-when-downgrade',
'origin' => 'origin',
'origin-when-cross-origin' => 'origin-when-cross-origin',
'same-origin' => 'same-origin',
'strict-origin' => 'strict-origin',
'strict-origin-when-cross-origin' => 'strict-origin-when-cross-origin',
'unsafe-url' => 'unsafe-url'
),
'desc' => '<p>' . gettext('Controls how much referrer information should be sent.') . '</p>'
. self::getStandardDesc('https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy')
)
);
return $options;
}
function handleOption($option, $currentValue) {
}
function handleOptionSave($themename, $themealbum) {
}
static function getContentSecurityPolicyFetchSources($baseoption = '') {
return array(
"*" => $baseoption . '_wildcard',
"'self'" => $baseoption . '_self',
"'none'" => $baseoption . "_none",
"'unsafe-inline'" => $baseoption . "_unsafeinline",
"'unsafe-eval'" => $baseoption . "_unsafeeval",
"'strict-dynamic'" => $baseoption . "_strictdynamic",
"http:" => $baseoption . '_http',
"https:" => $baseoption . '_https',
'nonce-' => $baseoption . '_nonce'
);
}
static function getStandardDesc($link, $csptext = false) {
$desc = '';
if ($csptext) {
$desc .= '<p>' . gettext('<em>nonce-</em> uses the internal XSRFToken automatically. Caution: A nonce attribute with <code>getXSRFToken("security_http_headers")</code> must be present on all inline script calls as they otherwise break. Inline handlers (e.g. onclick="") will not work in any case.') . '</p>';
}
$desc .= '<p>' . sprintf(gettext('For detailed info please see <a href="%1$s" target="_blank">%2$s</a>.'), $link, $link) . '</p>';
return $desc;
}
static function getCOntentSecurityPolicyHostSourceDoc() {
return '<p>' . gettext('Define one or more domains, e.g. http://yourdomain1.com http://yourdomain2.com, to allow content from') . '</p>';
}
static function getContentSecurityPolicyFrameAncestorsSources() {
return array(
"*" => 'securityheaders_csp_frameancestors_wildcard',
"'self'" => 'securityheaders_csp_frameancestors_self',
"'none'" => 'securityheaders_csp_frameancestors_none',
"http:" => 'securityheaders_csp_frameancestors_http',
"https:" => 'securityheaders_csp_frameancestors_https'
);
}
static function getContentSecurityPolicySandboxSources() {
return array(
'allow-forms' => 'securityheaders_csp_sandbox_allowforms',
'allow-modals' => 'securityheaders_csp_sandbox_allowmodals',
'allow-orientation-lock' => 'securityheaders_csp_sandbox_alloworientationlock',
'allow-pointer-lock' => 'securityheaders_csp_sandbox_allowpointerlock',
'allow-popups' => 'securityheaders_csp_sandbox_allowpopups',
'allow-popups-to-escape-sandbox' => 'securityheaders_csp_sandbox_allowpopupstoescapesandbox',
'allow-presentation' => 'securityheaders_csp_sandbox_allowresentation',
'allow-same-origin' => 'securityheaders_csp_sandbox_allowsameorigin',
'allow-scripts' => 'securityheaders_csp_sandbox_allowscripts',
'allow-top-navigation' => 'securityheaders_csp_sandbox_allowtopnavigation',
'allow-top-navigation-by-user-activation' => 'securityheaders_csp_sandbox_allowtopnavigationbyuseractivation'
);
}
static function getXframeSources() {
return array(
gettext('disabled') => 'disabled',
'deny' => 'deny',
'sameorigin' => 'sameorigin',
'allow-from' => 'allow-from'
);
}
static function getContentSecuritytPolicyPluginTypes($suffix_as_key = false) {
global $mime_types;
if(!isset($mime_types)) {
require_once SERVERPATH.'/'.ZENFOLDER.'/lib-MimeTypes.php';
}
$plugintypes = array();
foreach ($mime_types as $key => $val) {
if($suffix_as_key) {
$key_new = $key;
} else {
$key_new = $key . ' (' . $val . ')';
}
$plugintypes[$key_new ] = 'securityheader_csp_plugintypes_' . $key;
}
return $plugintypes;
}
}
class securityHeaders {
static function setHeaders() {
self::setContentSecurityPolicy();
self::setStrictTransportSecurity();
self::setXFrameOptions();
self::setXContentTypeOptions();
self::setXSSProtection();
self::setReferrerPolicy();
}
static function setContentSecurityPolicy() {
global $mime_types;
if (getOption('securityheaders_csp')) {
$reportonly = '';
if (getOption('securityheaders_csp_reportonly')) {
$reportonly = '-Report-Only';
}
$csp_sources = array();
$csp_mainoptions = array(
'default-src' => 'securityheaders_csp_defaultsrc',
'connect-src' => 'securityheaders_csp_connectsrc',
'font-src' => 'securityheaders_csp_fontsrc',
'frame-src' => 'securityheaders_csp_framesrc',
'img-src' => 'securityheaders_csp_imgsrc',
'manifest-src' => 'securityheaders_csp_manifestsrc',
'media-src' => 'securityheaders_csp_mediasrc',
'object-src' => 'securityheaders_csp_objectsrc',
'script-src' => 'securityheaders_csp_scriptsrc',
'style-src' => 'securityheaders_csp_stylesrc',
'form-action' => 'securityheaders_csp_formaction',
'base-uri' => 'securityheaders_csp_baseuri'
);
foreach ($csp_mainoptions as $policy => $option) {
$csp_fetch = array();
$csp_options = securityHeadersOptions::getContentSecurityPolicyFetchSources($option);
$check = self::getContentSecurityPolicySources($policy, $csp_options);
if (!empty($check)) {
$csp_fetch[] = self::getContentSecurityPolicySources($policy, $csp_options);
}
if (getOption($option . '_hosts')) {
$value = trim(getOption($option . '_hosts'));
if (!empty($value)) {
$csp_fetch[] = $value;
}
}
if (!empty($csp_fetch)) {
$csp_sources[] = implode(' ', $csp_fetch);
}
}
$csp_plugintypes_options = securityheadersOptions::getContentSecuritytPolicyPluginTypes(true);
$csp_plugintypes = array();
foreach($csp_plugintypes_options as $key => $val) {
$plugintype = getOption($val);
if($plugintype) {
$csp_plugintypes[] = $mime_types[$key];
}
}
if(!empty($csp_plugintypes)) {
$csp_sources[] = 'plugin-types ' . implode(' ', $csp_plugintypes);
}
$csp_sandbox = securityheadersOptions::getContentSecurityPolicySandboxSources();
$check_sandbox = self::getContentSecurityPolicySources('sandbox', $csp_sandbox);
if (!empty($check_sandbox)) {
$csp_sources[] = $check_sandbox;
}
$csp_frameancestor_sources = array();
$csp_frameancestors = array(
"*" => 'securityheaders_csp_frameancestors_wildcard',
"'self'" => 'securityheaders_csp_frameancestors_self',
"'none'" => 'securityheaders_csp_frameancestors_none',
"http:" => 'securityheaders_csp_frameancestors_http',
"https:" => 'securityheaders_csp_frameancestors_https'
);
$check_frameancestors = self::getContentSecurityPolicySources('frame-ancestors', $csp_frameancestors);
if (!empty($check_frameancestors)) {
$csp_frameancestor_sources[] = $check_frameancestors;
}
if (getOption('securityheaders_csp_frameancestors_hosts')) {
$value = trim(getOption('securityheaders_csp_frameancestors_hosts'));
if (!empty($value)) {
$csp_frameancestor_sources[] = $value;
}
}
if (!empty($csp_frameancestor_sources)) {
$csp_sources[] = implode(' ', $csp_frameancestor_sources);
}
if (getOption('securityheaders_csp_blockallmixedcontent')) {
$csp_sources[] = 'block-all-mixed-content';
}
if (getOption('securityheaders_csp_upgradeinsecurerequests')) {
$csp_sources[] = 'upgrade-insecure-requests';
}
if (!empty($csp_sources)) {
$csp_final = implode('; ', $csp_sources);
$csp_header = 'Content-Security-Policy' . $reportonly . ': ' . $csp_final;
header($csp_header);
}
}
}
static function setStrictTransportSecurity() {
$hsts = getOption('securityheaders_hsts');
if ($hsts) {
$header = 'Strict-Transport-Security: max-age=' . $hsts;
if (getOption('securityheaders_hsts_includesubdomains')) {
$header .= '; includeSubdomains';
}
if (getOption('securityheaders_hsts_preload')) {
$header .= '; preload';
}
header($header);
}
}
static function setXFrameOptions() {
$xframeoptions = getOption('securityheaders_xframeoptions');
if ($xframeoptions || $xframeoptions != 'securityheaders_xframeoptions_disabled') {
$allowfrom = getOption('securityheaders_xframeoptions_allow-from');
if ($xframeoptions == 'allow-from' && $allowfrom) {
header('X-Frame-Options: allow-from ' . $allowfrom);
} else {
header('X-Frame-Options: ' . $xframeoptions);
}
}
}
static function setXContentTypeOptions() {
if (getOption('securityheaders_xcontentnosniff')) {
header('X-Content-Type-Options: nosniff');
}
}
static function setXSSProtection() {
if (getOption('securityheaders_xxssprotection_enabled')) {
$header = 'X-XSS-Protection: 1';
if (getOption('securityheaders_xxssprotection_modeblock')) {
$header .= '; mode:block';
}
header($header);
}
}
static function setReferrerPolicy() {
$referrerpolicy = getOption('securityheaders_referrerpolicy');
if ($referrerpolicy && $referrerpolicy != 'disabled') {
header('Referrer-Policy: ' . $referrerpolicy);
}
}
static function getContentSecurityPolicySources($policyname, $checkboxoptions) {
$policies = array();
foreach ($checkboxoptions as $source => $option) {
$policy = '';
if (getOption($option)) {
if ($source == 'nonce-') {
$policies[] .= $source . getXSRFToken('security_http_headers');
} else {
$policies[] = trim($source);
}
}
}
if (!empty($policies)) {
$implode = implode(' ', $policies);
$header = trim($policyname . ' ' . $implode);
}
if (!empty($header)) {
return $header;
}
}
}