setting more http headers to improve security

2025-10-31 05:11:27 +00:00 · 2020-03-13 19:43:47 +01:00 · 2020-03-13 19:43:47 +01:00 · 8497e652f6
commit 8497e652f6
parent 7fcc100ae7
1 changed files with 7 additions and 2 deletions
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@ -57,12 +57,17 @@ class SeedDMS_Bootstrap_Style extends SeedDMS_View_Common {
 			 * Content-Security-Policy since version 23+
 			 * 'worker-src blob:' is needed for cytoscape
 			 */
-			$csp_rules = "script-src 'self' 'unsafe-eval'; worker-src blob:;"; // style-src 'self';";
+			$csp_rules = "script-src 'self' 'unsafe-eval';";
 			$csp_rules .= "worker-src blob:;";
 			//$csp_rules .= "style-src 'self';";
 			/* Do not allow to embed myself into frames on foreigns pages */
 			$csp_rules .= "frame-ancestors 'self';";
 			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
 				header($csp . ": " . $csp_rules);
 			}
 		}
-//		header('X-Content-Type-Options: nosniff');
+		header('X-Content-Type-Options: nosniff');
 		header('Strict-Transport-Security: max-age=15768000');
 		if($httpheader) {
 			foreach($httpheader as $name=>$value) {
 				header($name . ": " . $value);