Looking into the list above I've done some initial research as to what these headers are used for to see if we need to add them
* Strict-Transport-Security
- Would need to be turned on for sites running https
- Could be problems for sites with 3rd party content - but most of that should be sorted out now
- Could be a problem with self-signed certificates
* Content-Security-Policy
- helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header
- deals with restricting script/style/image/ajax/font/object sources
- Probably not useful for mahara as we allow the fetching of things via the external media block
* X-Frame-Options
- currently set to: sameorigin
* X-XSS-Protection
- The role of this header is to re-enable the filter for this particular website if it was disabled by the user
- Deals with reflected XSS vulnerabilities
- When set as: X-XSS-Protection: 1; mode=block it will prevent page loading
* X-Content-Type-Options
- only options at the moment is 'nostiff'
- prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type
* X-Powered-By
- Exposes what php version you are using
- You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.
* X-Permitted-Cross-Domain-Policies
- setting: 'master-only' Used by Adobe Flash
- More info: https://www.perpetual-beta.org/weblog/security-headers.html#rule-8470-2-establish-a-cross-domain-meta-policy
- a 2014 example from twitter
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="*.twitter.com" headers="*" secure="true"/>
</cross-domain-policy>
* Caching headers
- Currently is like this: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- other options worth adding:
- private - A proxy will not cache a page if it is marked as "private"
- no-transform - option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks.
Looking into the list above I've done some initial research as to what these headers are used for to see if we need to add them
* Strict- Transport- Security
- Would need to be turned on for sites running https
- Could be problems for sites with 3rd party content - but most of that should be sorted out now
- Could be a problem with self-signed certificates
* Content- Security- Policy style/image/ ajax/font/ object sources
- helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header
- deals with restricting script/
- Probably not useful for mahara as we allow the fetching of things via the external media block
* X-Frame-Options
- currently set to: sameorigin
* X-XSS-Protection
- The role of this header is to re-enable the filter for this particular website if it was disabled by the user
- Deals with reflected XSS vulnerabilities
- When set as: X-XSS-Protection: 1; mode=block it will prevent page loading
* X-Content- Type-Options
- only options at the moment is 'nostiff'
- prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type
* X-Powered-By
- Exposes what php version you are using
- You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.
* X-Permitted- Cross-Domain- Policies /www.perpetual- beta.org/ weblog/ security- headers. html#rule- 8470-2- establish- a-cross- domain- meta-policy domain- policy xmlns:xsi="http:// www.w3. org/2001/ XMLSchema- instance" xsi:noNamespace SchemaLocation= "http:// www.adobe. com/xml/ schemas/ PolicyFile. xsd"> access- from domain= "twitter. com" /> "api.twitter. com" /> "search. twitter. com" /> "static. twitter. com" /> cross-domain- policies= "master- only"/> http-request- headers- from domain= "*.twitter. com" headers="*" secure="true"/> domain- policy>
- setting: 'master-only' Used by Adobe Flash
- More info: https:/
- a 2014 example from twitter
<?xml version="1.0" encoding="UTF-8"?>
<cross-
<allow-
<allow-access-from domain=
<allow-access-from domain=
<allow-access-from domain=
<site-control permitted-
<allow-
</cross-
* Caching headers
- Currently is like this: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- other options worth adding:
- private - A proxy will not cache a page if it is marked as "private"
- no-transform - option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks.