Item12914: Add security related HTTP headers following various best practices

# ---+++ HTTP Security Headers
# Enable security headers for secure web applications. See also http://perltricks.com/article/81/2014/3/31/Perl-web-application-security-HTTP-headers
# **BOOLEAN**
# Set the X-Frame-Options header to "DENY":
# This header can prevent your application responses from being loaded within
# frame or iframe HTML elements. This is to prevent clickjacking
# requests where your application response is displayed on another website,
# within an invisible iframe, which then hijacks the user's request when they
# click a link on your website.
$Foswiki::cfg{DenyFrameOptions} = 1;

# **STRING**
# Require all resources to be loaded via SSL.
# This header instructs the requester to load all content from the domain via
# HTTPS and not load any content unless there is a valid ssl certificate. This
# header can help prevent man-in-middle attacks as it ensures that all HTTP
# requests and responses are encrypted. The Strict-Transport-Security header has
# a max-age parameter that defines how long in seconds to enforce the policy for. 
$Foswiki::cfg{StrictTransportSecurity} = "max-age=3600";

# **STRING EXPERT**
# Set the content security policy.
# The CSP header sets a whitelist of domains from which content can be safely
# loaded. This prevents most types of XSS attack, assuming the malicious content
# is not hosted by a whitelisted domain. For example this specifies that all
# content should only be loaded from the responding domain: "default-src 'self'"
# WARNING: Enabling this setting will currently render your Foswiki non-operational 
# as it relys on unsafe inline css and js.
$Foswiki::cfg{ContentSecurityPolicy} = ""; 

# **STRING**
# IE-only header to disable mime sniffing.
# This is an IE only header that is used to disable mime sniffing. The
# vulnerability is that IE will auto-execute any script code contained in a file
# when IE attempts to detect the file type.
$Foswiki::cfg{ContentTypeOptions} = "nosniff"; 


# **STRING**
# IE-only header that prevents it from opening an HTML file directly on download.
# This is another IE-only header that prevents IE from opening an HTML file
# directly on download from a website. The security issue here is, if a browser
# opens the file directly, it can run as if it were part of the site.
$Foswiki::cfg{DownloadOptions} = "noopen"; 

# **STRING**
# IE-only header to force it to turn on its XSS filter (IE >= 8)
# This header was introduced in IE8 as part of the
# cross-site-scripting (XSS) filter functionality (more here). Additionally it
# has an optional setting called "mode" that can force IE to block the entire
# page if an XSS attempt is detected.
$Foswiki::cfg{XSSProtection} = "1; mode=block"; 

sub modifyHeaderHandler {
  my ($headers, $query) = @_;

  # force IE to the latest version; use chrome frame if available
  my $xuaCompatible = $Foswiki::cfg{XuaCompatible};
  $xuaCompatible = 'ie=edge,chrome=1' unless defined $xuaCompatible;
  $headers->{"X-UA-Compatible"} = $xuaCompatible if $xuaCompatible;

  # enable security headers
  $headers->{"X-Frame-Options"} = "DENY" if $Foswiki::cfg{DenyFrameOptions};
  $headers->{"Strict-Transport-Security"} = $Foswiki::cfg{StrictTransportSecurity} if $Foswiki::cfg{StrictTransportSecurity};
  $headers->{"X-Content-Type-Options"} = $Foswiki::cfg{ContentTypeOptions} if $Foswiki::cfg{ContentTypeOptions}; 
  $headers->{"X-Download-Options"} = $Foswiki::cfg{DownloadOptions} if $Foswiki::cfg{DownloadOptions};
  $headers->{"X-XSS-Protection"} = $Foswiki::cfg{XSSProtection} if $Foswiki::cfg{XSSProtection};

  if ($Foswiki::cfg{ContentSecurityPolicy}) {
    $headers->{"Content-Security-Policy"} = $Foswiki::cfg{ContentSecurityPolicy};

    # deprecated header
    # $headers->{"X-Content-Security-Policy"} = $Foswiki::cfg{ContentSecurityPolicy};
    # $headers->{"X-Webkit-Csp"} = $Foswiki::cfg{ContentSecurityPolicy};
  }
}