mirror of https://github.com/MISP/MISP
Merge pull request #6081 from JakubOnderka/security_disable_browser_cache
new: [security] HTTP headers hardeningpull/6703/head
commit
e15ca97f33
|
@ -134,6 +134,15 @@ class AppController extends Controller
|
|||
$this->_stop();
|
||||
}
|
||||
}
|
||||
if (Configure::read('Security.check_sec_fetch_site_header')) {
|
||||
$secFetchSite = $this->request->header('Sec-Fetch-Site');
|
||||
if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) {
|
||||
throw new MethodNotAllowedException("POST, PUT and AJAX requests are allowed just from same origin.");
|
||||
}
|
||||
}
|
||||
if (Configure::read('Security.disable_browser_cache')) {
|
||||
$this->response->disableCache();
|
||||
}
|
||||
$this->response->header('X-XSS-Protection', '1; mode=block');
|
||||
|
||||
if (!empty($this->params['named']['sql'])) {
|
||||
|
|
|
@ -550,6 +550,9 @@ class RestResponseComponent extends Component
|
|||
$headers["Access-Control-Allow-Origin"] = explode(',', Configure::read('Security.cors_origins'));
|
||||
$headers["Access-Control-Expose-Headers"] = ["X-Result-Count"];
|
||||
}
|
||||
if (Configure::read('Security.disable_browser_cache')) {
|
||||
$cakeResponse->disableCache();
|
||||
}
|
||||
if (!empty($this->headers)) {
|
||||
$cakeResponse->header($this->headers);
|
||||
}
|
||||
|
|
|
@ -1396,6 +1396,24 @@ class Server extends AppModel
|
|||
'type' => 'boolean',
|
||||
'null' => true
|
||||
),
|
||||
'disable_browser_cache' => array(
|
||||
'level' => 0,
|
||||
'description' => __('If enabled, HTTP headers that block browser cache will be send. Static files (like images or JavaScripts) will still be cached, but not generated pages.'),
|
||||
'value' => false,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
),
|
||||
'check_sec_fetch_site_header' => [
|
||||
'level' => 0,
|
||||
'description' => __('If enabled, any POST, PUT or AJAX request will be allow just when Sec-Fetch-Site header is not defined or contains "same-origin".'),
|
||||
'value' => false,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
],
|
||||
'email_otp_enabled' => array(
|
||||
'level'=> 2,
|
||||
'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'),
|
||||
|
|
Loading…
Reference in New Issue