mirror of https://github.com/MISP/MISP
new: [security] New setting to check `Sec-Fetch-Site` header
parent
5e12063620
commit
63ae5c16e0
|
@ -139,6 +139,12 @@ class AppController extends Controller
|
|||
$this->_stop();
|
||||
}
|
||||
}
|
||||
if (Configure::read('Security.check_sec_fetch_site_header')) {
|
||||
$secFetchSite = $this->request->header('Sec-Fetch-Site');
|
||||
if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) {
|
||||
throw new MethodNotAllowedException("POST, PUT and AJAX requests are allowed just from same origin.");
|
||||
}
|
||||
}
|
||||
if (Configure::read('Security.disable_browser_cache')) {
|
||||
$this->response->disableCache();
|
||||
}
|
||||
|
|
|
@ -1306,6 +1306,15 @@ class Server extends AppModel
|
|||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
),
|
||||
'check_sec_fetch_site_header' => [
|
||||
'level' => 0,
|
||||
'description' => __('If enabled, any POST, PUT or AJAX request will be allow just when Sec-Fetch-Site header is not defined or contains "same-origin".'),
|
||||
'value' => false,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
],
|
||||
'email_otp_enabled' => array(
|
||||
'level'=> 2,
|
||||
'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'),
|
||||
|
|
Loading…
Reference in New Issue