mahara-contributors team mailing list archive

Thread
Date

[Bug 1531987] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1531987@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Mar 2016 20:09:37 -0000
Reply-to: Bug 1531987 <1531987@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6009
Committed: https://git.mahara.org/mahara/mahara/commit/29656f034ff0eefa19fb6a0c24f006ff3ef9e1f0
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit 29656f034ff0eefa19fb6a0c24f006ff3ef9e1f0
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Thu Feb 4 16:33:11 2016 +1300

Adding some HTTP headers for security (Bug 1531987)

X-XSS-Protection: Tells the browser not to disable XSS protection

X-Content-Type-Options: Tells the browser not to try to guess at
mimetypes of downloads

X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml

X-Powered-By: PHP by default sends this header with the current full
PHP version.

behatnotneeded: Selenium can't examine HTTP response headers

Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1531987

Title:
  Review HTTP headers to improve security

Status in Mahara:
  Fix Committed
Status in Mahara 1.10 series:
  In Progress
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  In Progress

Bug description:
  We need to review our HTTP headers to improve security and check which
  ones we should include per default and which ones might need to be
  configurable. The review will include but is not limited to:

  - Strict-Transport-Security
  - Content-Security-Policy
  - X-Frame-Options
  - X-XSS-Protection
  - X-Content-Type-Options
  - Server
  - X-Powered-By
  - X-Permitted-Cross-Domain-Policies
  - Caching headers

  Initial reports for X-XSS-Protection header by SaifAllah benMassaoud
  and Zeeshan.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1531987/+subscriptions

References

[Bug 1531987] [NEW] Review HTTP headers to improve security
From: Kristina Hoeppner, 2016-01-07