Implement content security policies

phpcs-errors:253 phpunit-status:successful
This commit is contained in:
Joshua Ramon Enslin 2019-11-14 12:55:26 +01:00 committed by Stefan Rohde-Enslin
parent 0385752c6e
commit 1bccab2da2

34
.htaccess Normal file
View File

@ -0,0 +1,34 @@
RewriteEngine On # Turn on the rewriting engine
# Disallow access to the given subfolders
RewriteRule ^(\.git|conf|vendor/|composer\.json|composer\.lock|functions) - [F,L,NC]
# Only allow GET|HEAD|POST
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|OPTIONS)
RewriteRule .? - [F]
# RewriteCond %{REQUEST_URI} output=json
# RewriteRule ^.*$ - [ENV=LONGCACHE:true]
# Header set Access-Control-Allow-Origin "*" env=LONGCACHE
# Header set Access-Control-Allow-Methods "GET, OPTIONS" env=LONGCACHE
# Header set Access-Control-Allow-Headers "X-PINGOTHER, Content-Type, Accept-Encoding, cache-control" env=LONGCACHE
# Header set Access-Control-Max-Age "86400" env=LONGCACHE
HEADER set X-Frame-Options DENY env=LONGCACHE
# RewriteCond %{REQUEST_FILENAME} -f
# RewriteRule ^(.+)\.pdf$ /cgi-bin/pdf.php?file=$1 [L,NC,QSA]
# Disallow execution of the following types of scripts
RemoveHandler cgi-script .pl .py .cgi .sh
## MAIN DEFAULTS
Options -Indexes
DirectoryIndex index.php
# Set deailt charset
AddDefaultCharset UTF-8
# Set content and feature security headers
Header set Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://*.jrenslin.de; img-src 'self' https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action https://nat.museum-digital.de;"
Header set Feature-Policy "midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'self'; gyroscope 'self'; speaker *; payment 'none'; fullscreen 'self'; geolocation 'none';"