 |
|
You are here: Foswiki>System Web>SecurityHeadersPlugin (2018/10/17, ProjectContributor)Edit Attach
SecurityHeadersPlugin
Add HTTP security headers to protect against XSS attacksOn this page:
HTTP headers are included in every HTTP response from a web server. Setting the
appropriate HTTP headers can reduce the risk of man-in-the-middle and
cross-site-scripting attacks on a web application. You can also reduce
information leaks about the web application configuration - vital data that
gives a would-be attacker clues about potential vulnerabilities. Read on to
find out how to set the appropriate headers in your Perl web application.
The following headers are set:
-
X-Frame-Options: protect site from being loaded into an frame or iframe (specs) -
Strict-Transport-Security: requester to load all content via HTTPS -
Content-Security-Policy: sets a whitelist of domains from which content can be safely loaded (specs)
-
X-Content-Type-Options: disable mime sniffing, disabled by default in IE but enforced anyway. -
X-Download-Options: prevent IE from opening an HTML file directly -
X-XSS-Protection: turn on its XSS filter
-
X-Content-Security-Policy: IE10+ -
X-Webkit-CSP: iOS Safari 5.0-5.1
Installation Instructions
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server. Open configure, and open the "Extensions" section. "Extensions Operation and Maintenance" Tab -> "Install, Update or Remove extensions" Tab. Click the "Search for Extensions" button. Enter part of the extension name or description and press search. Select the desired extension(s) and click install. If an extension is already installed, it will not show up in the search results. You can also install from the shell by running the extension installer as the web server user: (Be sure to run as the webserver user, not as root!)cd /path/to/foswiki perl tools/extension_installer <NameOfExtension> installIf you have any problems, or if the extension isn't available in
configure, then you can still install manually from the command-line. See https://foswiki.org/Support/ManuallyInstallingExtensions for more help.
Dependencies
NoneChange History
| 17 Oct 2018 | more reasonable default settings |
| 09 Sep 2016 | added child-src policty in addition to the now deprected frame-src |
| 08 Mar 2016 | fixed xss protection |
PackageForm edit
| Author | Michael Daum |
| Version | 1.10 |
| Release | 17 Oct 2018 |
| Description | Add HTTP security headers to protect against XSS attacks |
| Repository | https://github.com/foswiki/SecurityHeadersPlugin |
| Copyright | 2015-2018 Michael Daum http://michaeldaumconsulting.com |
| License | GPL (GNU General Public License) |
| Home | https://foswiki.org/Extensions/SecurityHeadersPlugin |
| Support | https://foswiki.org/Support/SecurityHeadersPlugin |
Edit | Attach | Print version | History: r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r1 - 2018/10/17, ProjectContributor
- User Reference
- BeginnersStartHere
- EditingShorthand
- Macros
- MacrosQuickReference
- FormattedSearch
- QuerySearch
- DocumentGraphics
- SkinBrowser
- InstalledPlugins
- Admin Maintenance
- Reference Manual
- AdminToolsCategory
- InterWikis
- ManagingWebs
- SiteTools
- DefaultPreferences
- WebPreferences
Machs
Copyright © by the contributing authors. All material on this site is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback