From 8cfcf1c9f55479cdf581a28e505a6b5d027e373c Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 18 Sep 2016 11:29:37 +0200 Subject: [PATCH] Adding HTTP headers to address certain XSS attacks, resolves #91 --- lib/PrivateBin.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/PrivateBin.php b/lib/PrivateBin.php index 9b41682b..68985e60 100644 --- a/lib/PrivateBin.php +++ b/lib/PrivateBin.php @@ -403,12 +403,15 @@ class PrivateBin { // set headers to disable caching $time = gmdate('D, d M Y H:i:s \G\M\T'); - header('Cache-Control: no-store, no-cache, must-revalidate'); + header('Cache-Control: no-store, no-cache, no-transform, must-revalidate'); header('Pragma: no-cache'); header('Expires: ' . $time); header('Last-Modified: ' . $time); header('Vary: Accept'); header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader')); + header('X-Xss-Protection: 1; mode=block'); + header('X-Frame-Options: DENY'); + header('X-Content-Type-Options: nosniff'); // label all the expiration options $expire = array();