From a14b87baf25e8a4747318efa7a7b52ad04966af7 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 8 Feb 2016 14:48:11 -0800 Subject: [PATCH] make yet another recommended security header optional - this time because of piwik. Personally I think if you want to track people you really don't understand this project and its history, but whatever.... --- boot.php | 3 ++- install/htconfig.sample.php | 9 +++++++++ view/cs/htconfig.tpl | 9 +++++++++ view/de/htconfig.tpl | 9 +++++++++ view/en-au/htconfig.tpl | 9 +++++++++ view/en-gb/htconfig.tpl | 7 +++++++ view/en/htconfig.tpl | 17 +++++++++++++++++ view/eo/htconfig.tpl | 9 +++++++++ view/fr/htconfig.tpl | 9 +++++++++ view/it/htconfig.tpl | 9 +++++++++ view/nb-no/htconfig.tpl | 9 +++++++++ view/pt-br/htconfig.tpl | 9 +++++++++ 12 files changed, 107 insertions(+), 1 deletion(-) diff --git a/boot.php b/boot.php index 1f214c400..ce26f3a09 100755 --- a/boot.php +++ b/boot.php @@ -2167,7 +2167,8 @@ function construct_page(&$a) { if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header']) header("Strict-Transport-Security: max-age=31536000"); - header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); + if($a->config['system']['content_security_policy']) + header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); if($a->config['system']['x_security_headers']) { header("X-Frame-Options: SAMEORIGIN"); diff --git a/install/htconfig.sample.php b/install/htconfig.sample.php index 50ce9658b..f64e2571b 100755 --- a/install/htconfig.sample.php +++ b/install/htconfig.sample.php @@ -46,6 +46,15 @@ $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = 'if the auto install failed, put a unique random string here'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/cs/htconfig.tpl b/view/cs/htconfig.tpl index 8f26ec7b0..b809aebdf 100644 --- a/view/cs/htconfig.tpl +++ b/view/cs/htconfig.tpl @@ -36,6 +36,15 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/de/htconfig.tpl b/view/de/htconfig.tpl index a81c34741..fb5d6232c 100644 --- a/view/de/htconfig.tpl +++ b/view/de/htconfig.tpl @@ -37,6 +37,15 @@ $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/en-au/htconfig.tpl b/view/en-au/htconfig.tpl index 9611decf9..13fa550a2 100644 --- a/view/en-au/htconfig.tpl +++ b/view/en-au/htconfig.tpl @@ -37,6 +37,15 @@ $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/en-gb/htconfig.tpl b/view/en-gb/htconfig.tpl index 9611decf9..ccb6c5eca 100644 --- a/view/en-gb/htconfig.tpl +++ b/view/en-gb/htconfig.tpl @@ -36,6 +36,13 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting diff --git a/view/en/htconfig.tpl b/view/en/htconfig.tpl index 50e05fc3e..5c05111f3 100644 --- a/view/en/htconfig.tpl +++ b/view/en/htconfig.tpl @@ -36,6 +36,23 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting diff --git a/view/eo/htconfig.tpl b/view/eo/htconfig.tpl index 8f26ec7b0..0695462eb 100644 --- a/view/eo/htconfig.tpl +++ b/view/eo/htconfig.tpl @@ -36,6 +36,15 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; + +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/fr/htconfig.tpl b/view/fr/htconfig.tpl index 5171fd327..799cdaa71 100644 --- a/view/fr/htconfig.tpl +++ b/view/fr/htconfig.tpl @@ -37,6 +37,15 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; + +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + // Vos choix sont REGISTER_OPEN, REGISTER_APPROVE, ou REGISTER_CLOSED. // Soyez certains de créer votre compte personnel avant de déclarer // votre site REGISTER_CLOSED. 'register_text' (si vous décider de l'utiliser) diff --git a/view/it/htconfig.tpl b/view/it/htconfig.tpl index 8f26ec7b0..b809aebdf 100644 --- a/view/it/htconfig.tpl +++ b/view/it/htconfig.tpl @@ -36,6 +36,15 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/nb-no/htconfig.tpl b/view/nb-no/htconfig.tpl index 8f26ec7b0..b809aebdf 100644 --- a/view/nb-no/htconfig.tpl +++ b/view/nb-no/htconfig.tpl @@ -36,6 +36,15 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on diff --git a/view/pt-br/htconfig.tpl b/view/pt-br/htconfig.tpl index 8f26ec7b0..b809aebdf 100644 --- a/view/pt-br/htconfig.tpl +++ b/view/pt-br/htconfig.tpl @@ -36,6 +36,15 @@ $a->config['system']['baseurl'] = '{{$siteurl}}'; $a->config['system']['sitename'] = "Hubzilla"; $a->config['system']['location_hash'] = '{{$site_id}}'; +// These lines set additional security headers to be sent with all responses +// You may wish to set transport_security_header to 0 if your server already sends +// this header. content_security_policy may need to be disabled if you wish to +// run the piwik analytics plugin or include other offsite resources on a page + +$a->config['system']['transport_security_header'] = 1; +$a->config['system']['content_security_policy'] = 1; + + // Your choices are REGISTER_OPEN, REGISTER_APPROVE, or REGISTER_CLOSED. // Be certain to create your own personal account before setting // REGISTER_CLOSED. 'register_text' (if set) will be displayed prominently on