Add config parameter to enable/disable X-Frame header

This commit is contained in:
Frederic Guillot 2016-12-26 18:07:00 -05:00
parent 59a721ce18
commit 09dd04f698
4 changed files with 17 additions and 1 deletions

View File

@ -36,6 +36,7 @@ defined('SUBSCRIPTION_CONCURRENT_REQUESTS') or define('SUBSCRIPTION_CONCURRENT_R
defined('RULES_DIRECTORY') or define('RULES_DIRECTORY', ROOT_DIRECTORY.DIRECTORY_SEPARATOR.'rules'); defined('RULES_DIRECTORY') or define('RULES_DIRECTORY', ROOT_DIRECTORY.DIRECTORY_SEPARATOR.'rules');
defined('ENABLE_XFRAME') or define('ENABLE_XFRAME', true);
defined('ENABLE_HSTS') or define('ENABLE_HSTS', true); defined('ENABLE_HSTS') or define('ENABLE_HSTS', true);
defined('ENABLE_CRONJOB_HTTP_ACCESS') or define('ENABLE_CRONJOB_HTTP_ACCESS', true); defined('ENABLE_CRONJOB_HTTP_ACCESS') or define('ENABLE_CRONJOB_HTTP_ACCESS', true);

View File

@ -40,10 +40,13 @@ Router\before(function ($action) {
'referrer' => 'no-referrer', 'referrer' => 'no-referrer',
)); ));
Response\xframe();
Response\xss(); Response\xss();
Response\nosniff(); Response\nosniff();
if (ENABLE_XFRAME) {
Response\xframe();
}
if (ENABLE_HSTS && Helper\is_secure_connection()) { if (ENABLE_HSTS && Helper\is_secure_connection()) {
Response\hsts(); Response\hsts();
} }

View File

@ -57,3 +57,9 @@ define('SUBSCRIPTION_CONCURRENT_REQUESTS', 5);
// Allow the cronjob to be accessible from the browser // Allow the cronjob to be accessible from the browser
define('ENABLE_CRONJOB_HTTP_ACCESS', true); define('ENABLE_CRONJOB_HTTP_ACCESS', true);
// Enable/disable HTTP header X-Frame-Options
define('ENABLE_XFRAME', true);
// Enable/disable HSTS HTTP header
define('ENABLE_HSTS', true);

View File

@ -106,4 +106,10 @@ define('SUBSCRIPTION_CONCURRENT_REQUESTS', 5);
// Allow the cronjob to be accessible from the browser // Allow the cronjob to be accessible from the browser
define('ENABLE_CRONJOB_HTTP_ACCESS', true); define('ENABLE_CRONJOB_HTTP_ACCESS', true);
// Enable/disable HTTP header X-Frame-Options
define('ENABLE_XFRAME', true);
// Enable/disable HSTS HTTP header
define('ENABLE_HSTS', true);
``` ```