mahara-contributors team mailing list archive

Thread
Date

[Bug 1531987] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1531987@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Mar 2016 22:10:43 -0000
Reply-to: Bug 1531987 <1531987@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6215
Committed: https://git.mahara.org/mahara/mahara/commit/d45af6dc1626736f6e8f9a2fcc8e45f854ef974c
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    15.04_STABLE

commit d45af6dc1626736f6e8f9a2fcc8e45f854ef974c
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Thu Feb 4 16:33:11 2016 +1300

Adding some HTTP headers for security (Bug 1531987)

X-XSS-Protection: Tells the browser not to disable XSS protection

X-Content-Type-Options: Tells the browser not to try to guess at
mimetypes of downloads

X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml

X-Powered-By: PHP by default sends this header with the current full
PHP version.

behatnotneeded: Selenium can't examine HTTP response headers

Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
(cherry picked from commit 29656f034ff0eefa19fb6a0c24f006ff3ef9e1f0)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1531987

Title:
  Review HTTP headers to improve security

Status in Mahara:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 15.10 series:
  Fix Committed

Bug description:
  We need to review our HTTP headers to improve security and check which
  ones we should include per default and which ones might need to be
  configurable. The review will include but is not limited to:

  - Strict-Transport-Security
  - Content-Security-Policy
  - X-Frame-Options
  - X-XSS-Protection
  - X-Content-Type-Options
  - Server
  - X-Powered-By
  - X-Permitted-Cross-Domain-Policies
  - Caching headers

  Initial reports for X-XSS-Protection header by SaifAllah benMassaoud
  and Zeeshan.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1531987/+subscriptions

References

[Bug 1531987] [NEW] Review HTTP headers to improve security
From: Kristina Hoeppner, 2016-01-07