setting more http headers to improve security

views/bootstrap/class.Bootstrap.php

@@ -57,12 +57,17 @@ class SeedDMS_Bootstrap_Style extends SeedDMS_View_Common {
 			 * Content-Security-Policy since version 23+
 			 * 'worker-src blob:' is needed for cytoscape
 			 */
-			$csp_rules = "script-src 'self' 'unsafe-eval'; worker-src blob:;"; // style-src 'self';";
+			$csp_rules = "script-src 'self' 'unsafe-eval';";
+			$csp_rules .= "worker-src blob:;";
+			//$csp_rules .= "style-src 'self';";
+			/* Do not allow to embed myself into frames on foreigns pages */
+			$csp_rules .= "frame-ancestors 'self';";
 			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
 				header($csp . ": " . $csp_rules);
 			}
 		}
-//		header('X-Content-Type-Options: nosniff');
+		header('X-Content-Type-Options: nosniff');
+		header('Strict-Transport-Security: max-age=15768000');
 		if($httpheader) {
 			foreach($httpheader as $name=>$value) {
 				header($name . ": " . $value);