jrenslin/md-cms
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improved settings of CSPs.

Browse Source 
Added manifest.json.
Added further security-related HTTP headers.
This commit is contained in:
Joshua Ramon Enslin
2018-06-18 13:57:35 +02:00
committed by Stefan Rohde-Enslin
parent 1acdc7ba2b
commit 067beedf29
12 changed files with 165 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
edit/translations/en.php
View File

@ -16,6 +16,9 @@ $translations = [
"preview" => "Preview",
"banner" => "Banner",
"delete" => "Delete",
"general" => "General Settings",
"security" => "Security",
"integrationWithMD" => "Integration with Museum-Digital",
"languageUnavailable" => "This language is not available.",
"settingsUpdated" => "Updated settings.",
"staticPageTitle" => "Page title",
@ -41,6 +44,29 @@ $translations = [
"helpAdmin" => "<p>Is the user an administrator?</p>",
"language" => "Language",
"helpLanguage" => "<p>The default language of this instance of md:cms.</p>",
"sendHTTPHeaders" => "Send additional HTTP Headers",
"helpSendHTTPHeaders" => "<p>md:cms can send additional directives to the browser to increase security. Your server administrator can set these server wide, and if they have done so already, you should disable this option (this is by far the prefered way). In most cases, server administrators have not opted to do so yet, and keeping this option enabled makes sense. If you want to inquire into this further, the <a href='https://observatory.mozilla.org/'>Mozilla Observatory</a> is a useful resource.</p>
<p>
The default headers sent are the following:
<pre><code>
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; preload
Referrer-Policy: strict-origin
</code></pre>
</p>",
"CSPimageSources" => "Image sources (whitelist)",
"helpCSPimageSources" => "
<p>To increase security, md:cms directs browsers to refrain from loading images from any but the whitelisted sources. By default, only the current domain and the linked instance of museum-digital are whitelisted.</p>
<p>If you, for example, want to embed images from flickr.com, you either need to download the images and upload them here, or you whitelist flickr. To whitelist domains, please enter them one by one into the field, separated by whitespaces. E.g.<br />
<code>https://www.flickr.com https://www.google.com</code>
</p>",
"CSPobjectSources" => "Object sources (whitelist)",
"helpCSPobjectSources" => "
<p>To increase security, md:cms directs browsers to refrain from loading frames and objects from any but the whitelisted sources. By default, only the current domain and the linked instance of museum-digital are whitelisted.</p>
<p>If you, for example, want to embed videos from youtube.com, you need to whitelist youtube. To whitelist domains, please enter them one by one into the field, separated by whitespaces. E.g.<br />
<code>https://www.youtube.com https://www.vimeo.com</code>
</p>",
"maxFileSize" => "Maximum upload size",
"helpMaxFileSize" => "<p>The maximum file size of file uploads.</p>",
"cacheRefreshInterval" => "Cache Refresh Interval",