Adding HTTP headers to address certain XSS attacks, resolves #91
This commit is contained in:
parent
ec7af3a738
commit
8cfcf1c9f5
1 changed files with 4 additions and 1 deletions
|
@ -403,12 +403,15 @@ class PrivateBin
|
|||
{
|
||||
// set headers to disable caching
|
||||
$time = gmdate('D, d M Y H:i:s \G\M\T');
|
||||
header('Cache-Control: no-store, no-cache, must-revalidate');
|
||||
header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
|
||||
header('Pragma: no-cache');
|
||||
header('Expires: ' . $time);
|
||||
header('Last-Modified: ' . $time);
|
||||
header('Vary: Accept');
|
||||
header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
|
||||
header('X-Xss-Protection: 1; mode=block');
|
||||
header('X-Frame-Options: DENY');
|
||||
header('X-Content-Type-Options: nosniff');
|
||||
|
||||
// label all the expiration options
|
||||
$expire = array();
|
||||
|
|
Loading…
Reference in a new issue