LBRYFoundation/lbry.com
1
0
Fork 0
mirror of https://github.com/LBRYFoundation/lbry.com.git synced 2025-08-23 17:47:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

security++

Browse source
This commit is contained in:
Alex Grintsvayg 2016-07-25 13:56:45 -04:00
parent 65978bd90a
commit 1df58418bf
3 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
controller/Controller.class.php
View file

@ -13,7 +13,18 @@ class Controller
$viewParameters = isset($viewAndParams[1]) ? $viewAndParams[1] : []; $viewParameters = isset($viewAndParams[1]) ? $viewAndParams[1] : [];
$headers = isset($viewAndParams[2]) ? $viewAndParams[2] : []; $headers = isset($viewAndParams[2]) ? $viewAndParams[2] : [];
static::sendHeaders($headers); $defaultHeaders = [
'Content-Security-Policy' => "frame-ancestors 'none'",
'X-Frame-Options' => 'DENY',
'X-XSS-Protection'=> '1',
];
if (IS_PRODUCTION)
{
$defaultHeaders['Strict-Transport-Security'] = 'max-age=31536000';
}
static::sendHeaders(array_merge($defaultHeaders, $headers));
if ($viewTemplate === null) if ($viewTemplate === null)
{ {

5
controller/Session.class.php
View file

@ -18,7 +18,10 @@ class Session
public static function init() public static function init()
{ {
session_start(); session_start([
'cookie_secure' => IS_PRODUCTION, // cookie over ssl only
'cookie_httponly' => true, // no js access
]);
} }
public static function get($key, $default = null) public static function get($key, $default = null)

2
controller/action/DownloadActions.class.php
View file

@ -76,7 +76,7 @@ class DownloadActions extends Actions
if (!$email || !filter_var($email, FILTER_VALIDATE_EMAIL)) if (!$email || !filter_var($email, FILTER_VALIDATE_EMAIL))
{ {
Session::set(Session::KEY_DOWNLOAD_ACCESS_ERROR, 'Please provide a valid email. You provided: ' . $email); Session::set(Session::KEY_DOWNLOAD_ACCESS_ERROR, 'Please provide a valid email. You provided: ' . htmlspecialchars($email));
} }
else else
{ {