security++

2025-08-23 17:47:26 +00:00 · 2016-07-25 13:56:45 -04:00 · 2016-07-25 13:56:45 -04:00 · 1df58418bf
commit 1df58418bf
parent 65978bd90a
3 changed files with 17 additions and 3 deletions
--- a/controller/Controller.class.php
+++ b/controller/Controller.class.php
@ -13,7 +13,18 @@ class Controller
      $viewParameters = isset($viewAndParams[1]) ? $viewAndParams[1] : [];
      $headers = isset($viewAndParams[2]) ? $viewAndParams[2] : [];

-      static::sendHeaders($headers);
+      $defaultHeaders = [
+        'Content-Security-Policy' => "frame-ancestors 'none'",
+        'X-Frame-Options' => 'DENY',
+        'X-XSS-Protection'=> '1',
+      ];
+
+      if (IS_PRODUCTION)
+      {
+        $defaultHeaders['Strict-Transport-Security'] = 'max-age=31536000';
+      }
+
+      static::sendHeaders(array_merge($defaultHeaders, $headers));

      if ($viewTemplate === null)
      {
--- a/controller/Session.class.php
+++ b/controller/Session.class.php
@ -18,7 +18,10 @@ class Session

  public static function init()
  {
-    session_start();
+    session_start([
+      'cookie_secure' => IS_PRODUCTION, // cookie over ssl only
+      'cookie_httponly' => true, // no js access
+    ]);
  }

  public static function get($key, $default = null)
--- a/controller/action/DownloadActions.class.php
+++ b/controller/action/DownloadActions.class.php
@ -76,7 +76,7 @@ class DownloadActions extends Actions

    if (!$email || !filter_var($email, FILTER_VALIDATE_EMAIL))
    {
-      Session::set(Session::KEY_DOWNLOAD_ACCESS_ERROR, 'Please provide a valid email. You provided: ' . $email);
+      Session::set(Session::KEY_DOWNLOAD_ACCESS_ERROR, 'Please provide a valid email. You provided: ' . htmlspecialchars($email));
    }
    else
    {