MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [security] New setting to check `Sec-Fetch-Site` header

pull/6081/head
Jakub Onderka 2020-10-18 19:42:36 +02:00
parent 5e12063620
commit 63ae5c16e0
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/AppController.php
View File

@ -139,6 +139,12 @@ class AppController extends Controller
$this->_stop();
}
}
if (Configure::read('Security.check_sec_fetch_site_header')) {
$secFetchSite = $this->request->header('Sec-Fetch-Site');
if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) {
throw new MethodNotAllowedException("POST, PUT and AJAX requests are allowed just from same origin.");
}
}
if (Configure::read('Security.disable_browser_cache')) {
$this->response->disableCache();
}

9
app/Model/Server.php
View File

@ -1306,6 +1306,15 @@ class Server extends AppModel
'type' => 'boolean',
'null' => true,
),
'check_sec_fetch_site_header' => [
'level' => 0,
'description' => __('If enabled, any POST, PUT or AJAX request will be allow just when Sec-Fetch-Site header is not defined or contains "same-origin".'),
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true,
],
'email_otp_enabled' => array(
'level'=> 2,
'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'),