Merge pull request #6081 from JakubOnderka/security_disable_browser_cache

new: [security] HTTP headers hardening
2020-11-24 21:00:02 +01:00 · 2020-11-24 21:00:02 +01:00 · e15ca97f33
parent abd8b49e19 63ae5c16e0
commit e15ca97f33
3 changed files with 30 additions and 0 deletions
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -134,6 +134,15 @@ class AppController extends Controller
                $this->_stop();
            }
        }
+        if (Configure::read('Security.check_sec_fetch_site_header')) {
+            $secFetchSite = $this->request->header('Sec-Fetch-Site');
+            if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) {
+                throw new MethodNotAllowedException("POST, PUT and AJAX requests are allowed just from same origin.");
+            }
+        }
+        if (Configure::read('Security.disable_browser_cache')) {
+            $this->response->disableCache();
+        }
        $this->response->header('X-XSS-Protection', '1; mode=block');

        if (!empty($this->params['named']['sql'])) {
--- a/app/Controller/Component/RestResponseComponent.php
+++ b/app/Controller/Component/RestResponseComponent.php
@ -550,6 +550,9 @@ class RestResponseComponent extends Component
            $headers["Access-Control-Allow-Origin"] = explode(',', Configure::read('Security.cors_origins'));
            $headers["Access-Control-Expose-Headers"] = ["X-Result-Count"];
        }
+        if (Configure::read('Security.disable_browser_cache')) {
+            $cakeResponse->disableCache();
+        }
        if (!empty($this->headers)) {
            $cakeResponse->header($this->headers);
        }
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -1396,6 +1396,24 @@ class Server extends AppModel
                            'type' => 'boolean',
                            'null' => true
                        ),
+                        'disable_browser_cache' => array(
+                            'level' => 0,
+                            'description' => __('If enabled, HTTP headers that block browser cache will be send. Static files (like images or JavaScripts) will still be cached, but not generated pages.'),
+                            'value' => false,
+                            'errorMessage' => '',
+                            'test' => 'testBool',
+                            'type' => 'boolean',
+                            'null' => true,
+                        ),
+                        'check_sec_fetch_site_header' => [
+                            'level' => 0,
+                            'description' => __('If enabled, any POST, PUT or AJAX request will be allow just when Sec-Fetch-Site header is not defined or contains "same-origin".'),
+                            'value' => false,
+                            'errorMessage' => '',
+                            'test' => 'testBool',
+                            'type' => 'boolean',
+                            'null' => true,
+                        ],
                        'email_otp_enabled' => array(
                                'level'=> 2,
                                'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'),