Adding HTTP headers to address certain XSS attacks, resolves #91

This commit is contained in:
El RIDO 2016-09-18 11:29:37 +02:00
parent ec7af3a738
commit 8cfcf1c9f5
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
1 changed files with 4 additions and 1 deletions

View File

@ -403,12 +403,15 @@ class PrivateBin
{ {
// set headers to disable caching // set headers to disable caching
$time = gmdate('D, d M Y H:i:s \G\M\T'); $time = gmdate('D, d M Y H:i:s \G\M\T');
header('Cache-Control: no-store, no-cache, must-revalidate'); header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
header('Pragma: no-cache'); header('Pragma: no-cache');
header('Expires: ' . $time); header('Expires: ' . $time);
header('Last-Modified: ' . $time); header('Last-Modified: ' . $time);
header('Vary: Accept'); header('Vary: Accept');
header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader')); header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
header('X-Xss-Protection: 1; mode=block');
header('X-Frame-Options: DENY');
header('X-Content-Type-Options: nosniff');
// label all the expiration options // label all the expiration options
$expire = array(); $expire = array();