Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HTTP security headers #179

Closed
M4LuZ opened this issue Mar 30, 2018 · 6 comments · Fixed by #909 or #910 · May be fixed by #483
Closed

Add HTTP security headers #179

M4LuZ opened this issue Mar 30, 2018 · 6 comments · Fixed by #909 or #910 · May be fixed by #483
Labels
enhancement security issue Issues with relation to or with impact on the system security

Comments

@M4LuZ
Copy link
Collaborator

M4LuZ commented Mar 30, 2018

Expected Behavior

Over the last years a good amount of security enhancements have been included into the HTTP standard. Some of them are configured by the server sending defined HTTP header bits.
Thus we should have a look if we can implement these without breaking current functionality.
Examples would be:

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Strict-Transport-Security

More to be found for example at the OWASP Secure Headers Project

Current Behavior

Headers aren't set. Default Browser options are used

Possible Solution

Set headers per default to recommended setting, fix compatibilty issues if possible, change header value otherwise

Context

To get LS up to the current state-of-the-art in this regard
@M4LuZ M4LuZ added enhancement security issue Issues with relation to or with impact on the system security labels Mar 30, 2018
@andygrunwald
Copy link
Collaborator

andygrunwald commented Mar 30, 2018
edited

Agree here.
Also check out this: The 2018 Guide to Building Secure PHP Software

//Edit: FIxed the link. Here was a GetPocket.com link

@M4LuZ
Copy link
Collaborator Author

M4LuZ commented Mar 30, 2018

Sorry senor, me no pocket :)

@andygrunwald
Copy link
Collaborator

Oh sorry.
Here is the correct link: The 2018 Guide to Building Secure PHP Software
Fixed it also above

@M4LuZ
Copy link
Collaborator Author

M4LuZ commented Mar 31, 2018

Definitively a good read.
You may have noticed that I'm now using your own sources against you ;)

@andygrunwald
Copy link
Collaborator

This is fine as long as is it a good discussion, because i believe such discussions lead to a better end result :)

@M4LuZ M4LuZ added this to the LanSuite 5.0 RC milestone Feb 19, 2019
M4LuZ added a commit that referenced this issue May 6, 2022
@M4LuZ
Initial draft of headers
443a7c5 
Includes settings for cookies

fixes #179
@M4LuZ M4LuZ mentioned this issue May 6, 2022
Open
@M4LuZ
Copy link
Collaborator Author

M4LuZ commented Jan 9, 2024

(removing from milestone, as not critical and no feedback received so far)

@M4LuZ M4LuZ removed this from the LanSuite 5.0 RC milestone Jan 9, 2024
This was referenced Feb 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security issue Issues with relation to or with impact on the system security
Projects
None yet
Milestone
No milestone
2 participants
@andygrunwald @M4LuZ