Improved settings of CSPs.

Added manifest.json.
Added further security-related HTTP headers.

inc/functions.php

@@ -74,19 +74,28 @@ function ensureEnvironment() {
             "logo"                  => "",
             "url"                   => "",
             "css"                   => "default",
-            "hideInstitution"       => 0,
+            "defaultLang"           => "en",
             "cacheRefreshInterval"  => 0,
             "mdVersion"             => "https://rlp.museum-digital.de/",
             "mdImgFolder"           => "https://rlp.museum-digital.de/data/rlp/",
+            "hideInstitution"       => 0,
             "limitToInstitutions"   => [],
+            "sendHTTPHeaders"       => 1,
+            "CSPimageSources"       => "",
+            "CSPobjectSources"      => "",
             "maxFileSize"           => 300000,
-            "defaultLang"           => "en"
         ],
         json_decode(file_get_contents(__DIR__ . "/../data/settings.json"), true)
     );
 
     $GLOBALS['settings'] = $settings;
 
+    if ($settings['sendHTTPHeaders']) {
+        header('X-Content-Type-Options: nosniff');
+        header('X-XSS-Protection: 1; mode=block');
+        header('Strict-Transport-Security: max-age=31536000; preload');
+        header('Referrer-Policy: strict-origin');
+    }
 
 }