├── .gitignore
├── CHANGELOG.md
├── pages
    ├── index.php
    ├── main.php
    └── config.php
├── .travis.yml
├── package.yml
├── install.php
├── LICENSE
├── README.md
└── boot.php


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | .DS_Store?
3 | ._*
4 | .Spotlight-V100
5 | .Trashes
6 | ehthumbs.db
7 | Thumbs.db
8 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # HTTP_HEADERS
 2 | 
 3 | ### Changelog
 4 | 
 5 | ##### 26.10.2020  
 6 | 
 7 | - add Changelog
 8 | - rename package
 9 |   
10 | 


--------------------------------------------------------------------------------
/pages/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | 
4 | echo rex_view::title('HTTP Header');
5 | $subpage = rex_be_controller::getCurrentPagePart(2);
6 | 
7 | rex_be_controller::includeCurrentPageSubPath();
8 | 


--------------------------------------------------------------------------------
/pages/main.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | $content = '';
4 | 
5 | $fragment = new rex_fragment();
6 | $fragment->setVar('title', $this->i18n('main_title'), false);
7 | $fragment->setVar('body', $content, false);
8 | echo $fragment->parse('core/page/section.php');
9 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language: php
 2 | 
 3 | php:
 4 |     - '7.1'
 5 | 
 6 | cache:
 7 |   directories:
 8 |   - $HOME/.composer/cache
 9 |   
10 | before_install:
11 |     - phpenv config-rm xdebug.ini || echo "xdebug not available"
12 |     
13 | script:
14 |     - composer require --dev friendsofredaxo/linter
15 |     - vendor/bin/rexlint
16 | 


--------------------------------------------------------------------------------
/package.yml:
--------------------------------------------------------------------------------
 1 | package: http_headers
 2 | version: '0.0.5-beta'
 3 | title: 'HTTP Headers'
 4 | author: Friends Of REDAXO
 5 | supportpage: https://github.com/FriendsOfREDAXO/http_headers
 6 | 
 7 | page:
 8 |     title: 'HTTP Headers'
 9 |     perm: admin
10 |     icon: rex-icon fa-exclamation-triangle
11 | 
12 |     subpages:
13 |         config:
14 |             title: 'Einstellungen'
15 |             icon: rex-icon fa-wrench
16 |         help:
17 |             title: 'Info'
18 |             subPath: README.md
19 |             icon: rex-icon fa-book
20 | 
21 | requires:
22 |     redaxo: '^5.2'
23 |     php:
24 |         version: '^7.0'
25 | 


--------------------------------------------------------------------------------
/install.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | $addon = rex_addon::get('http_header');
 4 | 
 5 | if (!$addon->hasConfig()) {
 6 |     $addon->setConfig('x-frame-options_fb', 1);
 7 |     $addon->setConfig('x-frame-options', 'deny');
 8 |     $addon->setConfig('x-powered-by_fb', 1);
 9 |     $addon->setConfig('x-powered-by-always-unset', 1);
10 |     $addon->setConfig('referrerpolicy_fb', 1);
11 |     $addon->setConfig('referrerpolicy', 'no-referrer-when-downgrade');
12 | }
13 | 
14 | $somethingIsWrong = false;
15 | if ($somethingIsWrong) {
16 |     throw new rex_functional_exception('Something is wrong');
17 | }
18 | 
19 | // Alternativ kann ähnlich wie in R4 mit den Properties "install" und "installmsg" die Installation als nicht erfolgreich markiert werden.
20 | // Im Gegensatz zu R4 muss für eine erfolgreiche Installation keine Property mehr gesetzt werden.
21 | if ($somethingIsWrong) {
22 |     $this->setProperty('installmsg', 'Something is wrong');
23 |     $this->setProperty('install', false);
24 | }
25 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2016 Friends Of REDAXO
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Projekt eingestellt
 2 | 
 3 | Es wurde ein neues Addon entwickelt welches bald hoffentlich auch bei den FOR zu finden ist: https://github.com/iceman-fx/httpheader
 4 | 
 5 | ---
 6 | 
 7 | ## Wichtige Info
 8 | 
 9 | * **Mit den falschen Einstellungen kann es passieren, dass die Webseite nachhaltig nicht mehr wie gewünscht funktioniert!!**
10 | * Nicht alle Header werden von allen Browsern berücksichtigt. Wenn Du mehr wissen möchtest musst du googlen :-)
11 | * Nach der Aktivierung des AddOns und jeder Änderung muß unbedingt die Webseite auf Ihre Funktion geprüft werden!
12 | * Nicht übertreiben. Nicht immer ist es überall sinnvoll bei jedem test 100% zu erreichen! Nachdenken hilft.
13 | 
14 | ## Header testen
15 | 
16 | * https://siwecos.de
17 | * https://securityheaders.com
18 | * https://observatory.mozilla.org
19 | * https://cspvalidator.org
20 | * https://www.whatsmyip.org/http-headers/
21 | 
22 | ## Browser Plugins
23 | 
24 | ### Chrome
25 | 
26 | CSP Evaluator  
27 | * https://chrome.google.com/webstore/detail/csp-evaluator/fjohamlofnakbnbfjkohkbdigoodcejf?hl=de
28 | 
29 | CSP Mitigator  
30 | * https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa?hl=de
31 | 
32 | CSP Tester  
33 | * https://chrome.google.com/webstore/detail/csp-tester/ehmipebdmhlmikaopdfoinmcjhhfadlf?hl=de
34 | 
35 | Google Chrome Extension for 4ARMED's Content Security Policy Generator  
36 | * https://github.com/4armed/csp-generator-extension
37 | 
38 | 
39 | ### Firefox
40 | 
41 | Laboratory (Content Security Policy / CSP Toolkit)  
42 | * https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
43 | 
44 | 
45 | ## Infoseiten (unsortiert und unvollständig)
46 | 
47 | * https://developer.mozilla.org/de/docs/Web/HTTP/Headers
48 | * https://www.cspisawesome.com
49 | * https://content-security-policy.com
50 | * https://www.codingblatt.de/http-security-header-website-sicherheit-erhoehen
51 | * https://www.scip.ch/?labs.20190214
52 | * https://www.globalsign.com/de-de/blog/was-ist-hsts-wie-fuehren-sie-es-ein
53 | * https://www.sgalinski.de/typo3-agentur/technik/security-header
54 | * https://zinoui.com/blog/security-http-headers
55 | * https://zinoui.com/blog/http-headers-for-wordpress
56 | * https://8020webdesign.ch/hsts-http-security-headers
57 | * https://www.selbstaendig-im-netz.de/webdesign/7-http-security-header-website-sicherheit/
58 | * https://spacehost.de/10-apache-header-eintraege-webseite-sicher-machen/
59 | * https://www.scip.ch/?labs.20180308
60 | 
61 | weitere Seiten folgen
62 | 
63 | ## HSTS preload list
64 | 
65 | * https://hstspreload.org  
66 | Beachte, dass die Aufnahme in die Preload-Liste nicht einfach rückgängig gemacht werden kann!
67 | 
68 | ## ToDo
69 | 
70 | - CSS auslagern
71 | - Funktionen erweitern
72 | - Readme ergänzen
73 | - Texarea für eigene Header angaben bereitstellen
74 | - Prüfen ob Header schon gesetzt wurden
75 | 
76 | ## Autor
77 | 
78 | **Friends Of REDAXO**
79 | 
80 | * http://www.redaxo.org
81 | * https://github.com/FriendsOfREDAXO
82 | 
83 | **Projekt-Lead**
84 | 
85 | [getaweb / Oliver Kreischer](https://getaweb.de)
86 | 
87 | 


--------------------------------------------------------------------------------
/boot.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | if (rex::isBackend() && is_object(rex::getUser())) {
 4 |     rex_perm::register('http_header[]');
 5 | }
 6 | 
 7 | $addon = rex_addon::get('http_header');
 8 | 
 9 |     // --------
10 |     // -------- X-Frame-Options
11 |     // --------
12 |     if($addon->getConfig('x-frame-options') != '') {
13 | 
14 |         $url = '';
15 |         $error = 0;
16 | 
17 |         if ($addon->getConfig('x-frame-options') == 'allow-from') {
18 |             if ($addon->getConfig('xframeurl') != '') {
19 |                 $url = ' ' . $addon->getConfig('xframeurl');
20 |             } else {
21 |                 $error = 1;
22 |             }
23 |         }
24 | 
25 |         if (!$error) {
26 |             if($addon->getConfig('x-content-type-options-nosniff_fb') == 1) {
27 |                 rex_response::setHeader('X-Frame-Options', '' . $addon->getConfig('x-frame-options') . $url . '');
28 |             } else {
29 |                 if (rex::isFrontend()) {
30 |                     rex_response::setHeader('X-Frame-Options', '' . $addon->getConfig('x-frame-options') . $url . '');
31 |                 }
32 |             }
33 |         }
34 |     }
35 | 
36 | 
37 | 
38 |     // --------
39 |     // --------  X-Content-Type-Options
40 |     // --------
41 |     if($addon->getConfig('x-content-type-options-nosniff') != '') {
42 |        if($addon->getConfig('x-content-type-options-nosniff_fb') == 1) {
43 |            rex_response::setHeader('X-Content-Type-Options', 'nosniff');
44 |         } else {
45 |            if (rex::isFrontend()) {
46 |                rex_response::setHeader('X-Content-Type-Options', 'nosniff');
47 |            }
48 |        }
49 |     }
50 | 
51 | 
52 | 
53 | 
54 |     // --------
55 |     // --------  X-Powered-By
56 |     // --------
57 |     if($addon->getConfig('x-powered-by-always-unset') != '') {
58 |         if($addon->getConfig('x-powered-by_fb') == 1) {
59 |             rex_response::setHeader('X-Powered-By', 'always unset');
60 |            } else {
61 |             if (rex::isFrontend()) {
62 |                 rex_response::setHeader('X-Powered-By', 'always unset');
63 |             }
64 |         }
65 |     }
66 | 
67 | 
68 | 
69 | // --------
70 | // --------  X-Powered-By
71 | // --------
72 | if($addon->getConfig('referrerpolicy') != '') {
73 |     if($addon->getConfig('referrerpolicy_fb') == 1) {
74 |         rex_response::setHeader('Referrer-Policy', ''.$addon->getConfig('referrerpolicy').'');
75 |     } else {
76 |         if (rex::isFrontend()) {
77 |             rex_response::setHeader('Referrer-Policy', ''.$addon->getConfig('referrerpolicy').'');
78 |         }
79 |     }
80 | }
81 | 
82 | 
83 | /*
84 | 
85 | rex_response::setHeader('Server', 'always unset');
86 | rex_response::setHeader('Strict-Transport-Security', 'max-age=31536000');
87 | rex_response::setHeader('Content-Security-Policy', 'connect-src "self"');
88 | 
89 | rex_response::setHeader('Feature-Policy', "geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'");
90 | */
91 | 
92 | 
93 | 


--------------------------------------------------------------------------------
/pages/config.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | // https://codepen.io/James97/pen/LRmPmb
  4 | 
  5 | $content = '';
  6 | 
  7 | // dump(rex_system_report::factory()->get(3));
  8 | 
  9 | $addon = rex_addon::get('http_header');
 10 | 
 11 | $func = rex_request('func', 'string');
 12 | 
 13 | if ($func == 'update') {
 14 | 
 15 |     $this->setConfig(rex_post('config', [
 16 |         ['x-frame-options_fb', 'int'],
 17 |         ['x-frame-options', 'string'],
 18 |         ['xframeurl', 'string'],
 19 |         ['referrerpolicy_fb', 'int'],
 20 |         ['referrerpolicy', 'string'],
 21 |         ['strict-transport-security_lifetime', 'int'],
 22 |         ['strict-transport-security_subdomain', 'string'],
 23 |         ['strict-transport-security_preload', 'int'],
 24 |         ['x-powered-by_fb', 'int'],
 25 |         ['x-powered-by-always-unset', 'int'],
 26 |         ['x-content-type-options-nosniff_fb', 'int'],
 27 |         ['x-content-type-options-nosniff', 'int'],
 28 | 
 29 |     ]));
 30 | 
 31 |     echo rex_view::success('Die Einstellungen wurden gespeichert');
 32 | }
 33 | 
 34 | // --------
 35 | // -------- X-Frame-Options
 36 | // --------
 37 | $content .= '<div class="fieldsetwrapper green">';
 38 | $content .= '<fieldset>';
 39 | $content .= '<legend>X-Frame-Options';
 40 | $content .= '<a class="help-block rex-note" data-toggle="modal" href="#xframe">Mehr Informationen</a>';
 41 | $content .= '</legend>';
 42 | 
 43 | $content .= '<div class="fb_check"> ';
 44 | $formElements = [];
 45 | $n = [];
 46 | $n['label'] = '<label>Frontend <b>UND</b> Backend</label>';
 47 | $n['field'] = '<input type="checkbox" class="toggle" id="x-frame-options_fb" name="config[x-frame-options_fb]"' . (!empty($this->getConfig('x-frame-options_fb')) && $this->getConfig('x-frame-options_fb') == '1' ? ' checked="checked"' : '') . ' value="1" />';
 48 | $formElements[] = $n;
 49 | 
 50 | $fragment = new rex_fragment();
 51 | $fragment->setVar('elements', $formElements, false);
 52 | $content .= $fragment->parse('core/form/checkbox.php');
 53 | $content .= '</div>';
 54 | 
 55 | $formElements = [];
 56 | $n = [];
 57 | $n['label'] = '<label for="xframeselect">Auswahl</label>';
 58 | $select = new rex_select();
 59 | $select->setId('xframeselect');
 60 | $select->setAttribute('class', 'form-control');
 61 | $select->setName('config[x-frame-options]');
 62 | $select->addOption('-', '');
 63 | $select->addOption('deny', 'deny');
 64 | $select->addOption('sameorigin', 'sameorigin');
 65 | $select->addOption('allow-from uri', 'allow-from');
 66 | $select->setSelected($this->getConfig('x-frame-options'));
 67 | $n['field'] = $select->get();
 68 | $formElements[] = $n;
 69 | 
 70 | $fragment = new rex_fragment();
 71 | $fragment->setVar('elements', $formElements, false);
 72 | $content .= $fragment->parse('core/form/form.php');
 73 | 
 74 | $content .= '<fieldset id="xframesurl">';
 75 | $formElements = [];
 76 | $n = [];
 77 | $n['label'] = '<label for="xframeurl">URL</label>';
 78 | $n['field'] = '<input class="form-control" type="text" id="xframeurl" name="config[xframeurl]" placeholder="Immer die vollständige URL mit https:// angeben" value="' . $this->getConfig('xframeurl') . '"/>';
 79 | $formElements[] = $n;
 80 | 
 81 | $fragment = new rex_fragment();
 82 | $fragment->setVar('elements', $formElements, false);
 83 | $content .= $fragment->parse('core/form/form.php');
 84 | $content .= '</fieldset>';
 85 | 
 86 | if ($addon->getConfig('x-frame-options') == 'allow-from' AND $addon->getConfig('xframeurl') == '') {
 87 |     $content .= '<p class="alert alert-danger">Sofern bei der Auswahl <b>allow-from uri</b> ausgewählt wurde muß zwingend eine <b>URL angegeben</b> werden.</p>';
 88 | }
 89 | 
 90 | $content .= '</fieldset>';
 91 | $content .= ' 
 92 | <div class="modal fade" id="xframe" tabindex="-1">
 93 |   <div class="modal-dialog modal-dialog-centered" role="document">
 94 |     <div class="modal-content">
 95 |       <div class="modal-header">
 96 |         <h2 class="modal-title">X-Frame-Options
 97 |         <span class="close" data-dismiss="modal" aria-label="Close">&times;</span>
 98 |         </h2>
 99 |       </div>
100 |      <div class="modal-body">
101 |             <p><b>deny</b><br/>
102 |             Die Seite kann nicht in einem iFrame eingebettet werden, egal welches die aufrufende Webseite ist.</p>
103 |             <p><b>sameorigin</b><br/>
104 |             Die Seite kann nur als iFrame eingebettet werden, wenn beide von der gleichen Quellseite stammen.
105 |             <p><b>allow-from uri</b><br/>
106 |             Die Seite lässt sich ausschließlich dann einbetten, wenn die einbettende Seite aus der Quelle uri stammt.</p>
107 |        </div>      
108 |     </div>
109 |   </div>
110 | </div>
111 | ';
112 | 
113 | $content .= '</div>';
114 | 
115 | 
116 | // --------
117 | // -------- X-Powered-By
118 | // --------
119 | 
120 | $content .= '<div class="fieldsetwrapper green">';
121 | $content .= '<fieldset>';
122 | $content .= '<legend>X-Powered-By';
123 | $content .= '<a class="help-block rex-note" data-toggle="modal" href="#x-powered-by">Mehr Informationen.</a>';
124 | $content .= '</legend>';
125 | 
126 | 
127 | $content .= '<div class="fb_check"> ';
128 | $formElements = [];
129 | $n = [];
130 | $n['label'] = '<label>Frontend <b>UND</b> Backend</label>';
131 | $n['field'] = '<input type="checkbox" class="toggle" id="x-powered-by_fb" name="config[x-powered-by_fb]"' . (!empty($this->getConfig('x-powered-by_fb')) && $this->getConfig('x-powered-by_fb') == '1' ? ' checked="checked"' : '') . ' value="1" />';
132 | $formElements[] = $n;
133 | 
134 | $fragment = new rex_fragment();
135 | $fragment->setVar('elements', $formElements, false);
136 | $content .= $fragment->parse('core/form/checkbox.php');
137 | $content .= '</div>';
138 | 
139 | 
140 | $formElements = [];
141 | $n = [];
142 | $n['label'] = '<label>always unset</label>';
143 | $n['field'] = '<input type="checkbox" class="toggle" id="x-powered-by-always-unset" name="config[x-powered-by-always-unset]"' . (!empty($this->getConfig('x-powered-by-always-unset')) && $this->getConfig('x-powered-by-always-unset') == '1' ? ' checked="checked"' : '') . ' value="1" />';
144 | $formElements[] = $n;
145 | $fragment = new rex_fragment();
146 | $fragment->setVar('elements', $formElements, false);
147 | $content .= $fragment->parse('core/form/checkbox.php');
148 | $content .= '</fieldset>';
149 | 
150 | $content .= ' 
151 | <div class="modal fade" id="x-powered-by" tabindex="-1" >
152 |   <div class="modal-dialog modal-dialog-centered" role="document">
153 |     <div class="modal-content">
154 |       <div class="modal-header">
155 |         <h2 class="modal-title">X-Powered-By
156 |         <span class="close" data-dismiss="modal" aria-label="Close">&times;</span>
157 |         </h2>
158 |       </div>
159 |      <div class="modal-body"> 
160 |             <p>X-Powered-By kann die verwendete PHP Version zurückgeben und je weniger Infos ein Angreifer hat desto besser! Also: ABSCHALTEN! </p>
161 |        </div>      
162 |     </div>
163 |   </div>
164 | </div>
165 | ';
166 | 
167 | $content .= '</div>';
168 | 
169 | 
170 | 
171 | 
172 | 
173 | 
174 | 
175 | // --------
176 | // -------- Referrer-Policy
177 | // --------
178 | 
179 | $content .= '<div class="fieldsetwrapper green">';
180 | $content .= '<fieldset>';
181 | $content .= '<legend>Referrer-Policy';
182 | $content .= '<a class="help-block rex-note" data-toggle="modal" href="#referrerpolicy_modal">Mehr Informationen.</a>';
183 | $content .= '</legend>';
184 | 
185 | $content .= '<div class="fb_check"> ';
186 | $formElements = [];
187 | $n = [];
188 | $n['label'] = '<label>Frontend <b>UND</b> Backend</label>';
189 | $n['field'] = '<input type="checkbox" class="toggle" id="referrerpolicy_fb" name="config[referrerpolicy_fb]"' . (!empty($this->getConfig('referrerpolicy_fb')) && $this->getConfig('referrerpolicy_fb') == '1' ? ' checked="checked"' : '') . ' value="1" />';
190 | $formElements[] = $n;
191 | 
192 | $fragment = new rex_fragment();
193 | $fragment->setVar('elements', $formElements, false);
194 | $content .= $fragment->parse('core/form/checkbox.php');
195 | $content .= '</div>';
196 | 
197 | $formElements = [];
198 | $n = [];
199 | $n['label'] = '<label for="xframeselect">Auswahl</label>';
200 | $select = new rex_select();
201 | $select->setId('referrerpolicy');
202 | $select->setAttribute('class', 'form-control');
203 | $select->setName('config[referrerpolicy]');
204 | $select->addOption('-', '');
205 | $select->addOption('no-referrer', 'no-referrer');
206 | $select->addOption('no-referrer-when-downgrade', 'no-referrer-when-downgrade');
207 | $select->addOption('same-origin', 'same-origin');
208 | $select->addOption('origin', 'origin');
209 | $select->addOption('strict-origin', 'strict-origin');
210 | $select->addOption('origin-when-cross-origin', 'origin-when-cross-origin');
211 | $select->addOption('strict-origin-when-cross-origin', 'strict-origin-when-cross-origin');
212 | $select->addOption('unsafe-url', 'unsafe-url');
213 | $select->setSelected($this->getConfig('referrerpolicy'));
214 | $n['field'] = $select->get();
215 | $formElements[] = $n;
216 | 
217 | $fragment = new rex_fragment();
218 | $fragment->setVar('elements', $formElements, false);
219 | $content .= $fragment->parse('core/form/form.php');
220 | 
221 | $content .= '</fieldset>';
222 | 
223 | $content .= ' 
224 | <div class="modal fade" id="referrerpolicy_modal" tabindex="-1">
225 |   <div class="modal-dialog modal-dialog-centered" role="document">
226 |     <div class="modal-content">
227 |       <div class="modal-header">
228 |         <h2 class="modal-title">Referrer-Policy
229 |         <span class="close" data-dismiss="modal" aria-label="Close">&times;</span>
230 |         </h2>
231 |       </div>
232 |      <div class="modal-body">
233 |             <p><b>no-referrer</b><br/>
234 |             Der Referer-Header wird vollständig weggelassen. Es werden keine Referrer-Informationen zusammen mit Anfragen gesendet.</p>
235 |             
236 |             <p><b>no-referrer-when-downgrade</b><br/>
237 |             Dies ist das Standardverhalten, wenn keine Richtlinie angegeben ist oder wenn der angegebene Wert ungültig ist.</p>
238 | 
239 |             <p><b>same-origin</b><br/>
240 |             Der Wert `same-origin` weist den Browser an, nur Referer Header zu senden, die von Ihrer Webseite gestellt werden. Wenn das Ziel eine andere Domain ist, werden keine Referrer-Informationen gesendet.</p>       
241 | 
242 |             <p><b>origin</b><br/>
243 |             Damit wird immer die Origin der auslösenden Seite in den Referer Informationen des Requests mitgegeben. Es werden allerdings keine Informationen zum genauen Pfad weitergegeben</p>
244 | 
245 |             <p><b>strict-origin</b><br/>
246 |             Der Wert `strict-origin` weist den Browser an, als Referer Header immer die Ursprungs-Domain anzugeben.
247 |             </p>            
248 | 
249 |             <p><b>origin-when-cross-origin</b><br/>
250 |             Der Wert `origin-when-cross-origin` weist den Browser an, nur dann die vollständige Referrer-URL zu senden, wenn Sie auf der selben Domain bleiben. Sobald die Domain über HTTPS verlassen wird oder eine anderer Domain angesprochen wird, wird nur die Quell-Domain gesendet.</p>
251 | 
252 |             <p><b>strict-origin-when-cross-origin</b><br/>
253 |             Wie bei strict-origin handelt es sich bei strict-origin-when-cross-origin ebenfalls um eine Verschärfung einer bestehenden Regel. Es gelten die Regeln von origin-when-cross-origin. Zusätzlich werden allerdings die Referer Informationen entfernt, wenn der Request von einer HTTPS Seite zu einer HTTP Seite ausgelöst wird.</p>
254 |             
255 |             <p><b>unsafe-url</b><br/>
256 |             Mit dieser Einstellung wird der Browser dazu angewiesen, bei jedem Request die volle URL im Referer Header mitzusenden.</p>
257 |                                     
258 | 
259 | 
260 |                  
261 |             
262 |        </div>      
263 |     </div>
264 |   </div>
265 | </div>
266 | ';
267 | 
268 | $content .= '</div>';
269 | 
270 | 
271 | 
272 | // --------
273 | // -------- X-Content-Type-Options
274 | // --------
275 | 
276 | $content .= '<div class="fieldsetwrapper orange">';
277 | $content .= '<fieldset>';
278 | $content .= '<legend>X-Content-Type-Options';
279 | $content .= '<a class="help-block rex-note" data-toggle="modal" href="#xcontentttypeoptions">Mehr Informationen.</a>';
280 | $content .= '</legend>';
281 | 
282 | 
283 | $content .= '<div class="fb_check"> ';
284 | $formElements = [];
285 | $n = [];
286 | $n['label'] = '<label>Frontend <b>UND</b> Backend</label>';
287 | $n['field'] = '<input type="checkbox" class="toggle" id="x-content-type-options-nosniff_fb" name="config[x-content-type-options-nosniff_fb]"' . (!empty($this->getConfig('x-content-type-options-nosniff_fb')) && $this->getConfig('x-content-type-options-nosniff_fb') == '1' ? ' checked="checked"' : '') . ' value="1" />';
288 | $formElements[] = $n;
289 | 
290 | $fragment = new rex_fragment();
291 | $fragment->setVar('elements', $formElements, false);
292 | $content .= $fragment->parse('core/form/checkbox.php');
293 | $content .= '</div>';
294 | 
295 | 
296 | $formElements = [];
297 | $n = [];
298 | $n['label'] = '<label>nosniff</label>';
299 | $n['field'] = '<input type="checkbox" class="toggle" id="x-content-type-options-nosniff" name="config[x-content-type-options-nosniff]"' . (!empty($this->getConfig('x-content-type-options-nosniff')) && $this->getConfig('x-content-type-options-nosniff') == '1' ? ' checked="checked"' : '') . ' value="1" />';
300 | $formElements[] = $n;
301 | $fragment = new rex_fragment();
302 | $fragment->setVar('elements', $formElements, false);
303 | $content .= $fragment->parse('core/form/checkbox.php');
304 | $content .= '</fieldset>';
305 | 
306 | $content .= ' 
307 | <div class="modal fade" id="xcontentttypeoptions" tabindex="-1" >
308 |   <div class="modal-dialog modal-dialog-centered" role="document">
309 |     <div class="modal-content">
310 |       <div class="modal-header">
311 |         <h2 class="modal-title">X-Content-Type-Options
312 |         <span class="close" data-dismiss="modal" aria-label="Close">&times;</span>
313 |         </h2>
314 |       </div>
315 |      <div class="modal-body"> 
316 |             <p><i>nosniff</i> wird auch dann erzwungen, wenn der Content-Type nicht angegeben ist.</p>
317 |        </div>      
318 |     </div>
319 |   </div>
320 | </div>
321 | ';
322 | 
323 | $content .= '</div>';
324 | 
325 | /*
326 | // --------
327 | // -------- Strict-Transport-Security
328 | // --------
329 | 
330 | $content .= '<div class="fieldsetwrapper red">';
331 | $content .= '<fieldset>';
332 | $content .= '<legend>Strict-Transport-Security  (** noch ohne Funktion **)';
333 | $content .= '<a class="help-block warning rex-note" data-toggle="modal" href="#stricttransportsecurity">Wichtige Informationen. Unbedingt lesen!</a>';
334 | $content .= '</legend>';
335 | 
336 | $formElements = [];
337 | $n = [];
338 | $n['label'] = '<label for="strict-transport-security_lifetime">Lebensdauer</label>';
339 | $n['field'] = '<input class="form-control" type="text" id="strict-transport-security_lifetime" name="config[strict-transport-security_lifetime]" placeholder="Lebensdauer in Sekunden (31536000)" value="' . $this->getConfig('strict-transport-security_lifetime') . '"/>';
340 | $formElements[] = $n;
341 | $fragment = new rex_fragment();
342 | $fragment->setVar('elements', $formElements, false);
343 | $content .= $fragment->parse('core/form/form.php');
344 | 
345 | 
346 | $formElements = [];
347 | $n = [];
348 | $n['label'] = '<label>includeSubDomains</label>';
349 | $n['field'] = '<input type="checkbox" class="toggle" id="strict-transport-security_subdomain" name="config[strict-transport-security_subdomain]"' . (!empty($this->getConfig('strict-transport-security_subdomain')) && $this->getConfig('strict-transport-security_subdomain') == '1' ? ' checked="checked"' : '') . ' value="1" />';
350 | $formElements[] = $n;
351 | 
352 | $fragment = new rex_fragment();
353 | $fragment->setVar('elements', $formElements, false);
354 | $content .= $fragment->parse('core/form/checkbox.php');
355 | 
356 | 
357 | $formElements = [];
358 | $n = [];
359 | $n['label'] = '<label>preload</label>';
360 | $n['field'] = '<input type="checkbox" class="toggle" id="strict-transport-security_subdomain" name="config[strict-transport-security_preload]"' . (!empty($this->getConfig('strict-transport-security_preload')) && $this->getConfig('strict-transport-security_preload') == '1' ? ' checked="checked"' : '') . ' value="1" />';
361 | $formElements[] = $n;
362 | $fragment = new rex_fragment();
363 | $fragment->setVar('elements', $formElements, false);
364 | $content .= $fragment->parse('core/form/checkbox.php');
365 | 
366 | if (($addon->getConfig('strict-transport-security_subdomain') == '1' OR $addon->getConfig('strict-transport-security_preload') == '1') AND $addon->getConfig('strict-transport-security_lifetime') == '') {
367 |     $content .= '<p class="alert alert-danger">Es muß eine Lebensdauer angegeben werden!</p>';
368 | }
369 | 
370 | $content .= '</fieldset>';
371 | 
372 | $content .= ' 
373 | <div class="modal fade" id="stricttransportsecurity" tabindex="-1" >
374 |   <div class="modal-dialog modal-dialog-centered">
375 |     <div class="modal-content" >
376 |       <div class="modal-header">
377 |         <h2 class="modal-title">Strict-Transport-Security
378 |         <span class="close" data-dismiss="modal" aria-label="Close">&times;</span>
379 |         </h2>
380 |       </div>
381 |       <div class="modal-body">
382 |             <p>Hier muß zwingend eine Info hin...</p>
383 |        </div>      
384 |     </div>
385 |   </div>
386 | </div>
387 | ';
388 | 
389 | $content .= '</div>';
390 | 
391 | 
392 | 
393 | */
394 | 
395 | 
396 | 
397 | 
398 | // -------- Buttons
399 | 
400 | $formElements = [];
401 | $n = [];
402 | $n['field'] = '<a class="btn btn-abort" href="' . rex_url::currentBackendPage() . '">Abbrechen</a>';
403 | $formElements[] = $n;
404 | 
405 | $n = [];
406 | $n['field'] = '<button class="btn btn-apply rex-form-aligned" type="submit" name="send" value="1"' . rex::getAccesskey(rex_i18n::msg('update'), 'apply') . '>Einstellungen speichern</button>';
407 | $formElements[] = $n;
408 | 
409 | $fragment = new rex_fragment();
410 | $fragment->setVar('elements', $formElements, false);
411 | $buttons = $fragment->parse('core/form/submit.php');
412 | 
413 | 
414 | // -------- generate Page
415 | 
416 | $fragment = new rex_fragment();
417 | $fragment->setVar('class', 'edit');
418 | $fragment->setVar('title','Einstellungen');
419 | $fragment->setVar('body', $content, false);
420 | $fragment->setVar('buttons', $buttons, false);
421 | $content = $fragment->parse('core/page/section.php');
422 | 
423 | $content = '
424 |     <form action="' . rex_url::currentBackendPage() . '" method="post">
425 |         <input type="hidden" name="func" value="update">
426 |         ' . $content . '
427 |     </form>';
428 | 
429 | echo $content;
430 | 
431 | ?>
432 | 
433 | <script>
434 | 
435 |     $(document).on('rex:ready', function () {
436 |         <?php
437 |             if ($this->getConfig('x-frame-options') != 'allow-from') {
438 |                echo "$('#xframesurl').css('display','none');";
439 |             }
440 |         ?>
441 |     });
442 | 
443 |     $('#xframeselect').change(function(){
444 |         if ($(this).val() == 'allow-from') {
445 |             $('#xframesurl').slideDown();
446 |         } else {
447 |             $('#xframesurl').slideUp();
448 |         }
449 |     });
450 | </script>
451 | 
452 | <style>
453 | 
454 |     .fieldsetwrapper {
455 |         border: 2px solid grey;
456 |         background: #f1f1f1;
457 |         padding: 20px;
458 |         margin: 0 0 10px 0;
459 |     }
460 | 
461 |     .help-block {
462 |         font-size: 12px;
463 |     }
464 | 
465 |     .help-block.warning {
466 |         color: #f00;
467 |     }
468 | 
469 |     .fb_check {
470 |         text-align: right;
471 |         zoom: 0.75;
472 |         margin: -90px 0 60px 0;
473 |     }
474 | 
475 |     .fb_check label input[type=checkbox].toggle {
476 |         margin-right: 8px;
477 |         margin-top: -1px;
478 |     }
479 | 
480 | 
481 | 
482 |     label input[type=checkbox].toggle {
483 |         -webkit-appearance: none;
484 |         -moz-appearance: none;
485 |         appearance: none;
486 |         width: 3em;
487 |         height: 1.5em;
488 |         background: #ddd;
489 |         vertical-align: middle;
490 |         border-radius: 1.6em;
491 |         position: relative;
492 |         outline: 0;
493 |         margin-right: 16px;
494 |         cursor: pointer;
495 |         -webkit-transition: background 0.1s ease-in-out;
496 |         transition: background 0.1s ease-in-out;
497 | 
498 |     }
499 |     label input[type=checkbox].toggle::after {
500 |         content: '';
501 |         width: 1.5em;
502 |         height: 1.5em;
503 |         background: white;
504 |         position: absolute;
505 |         border-radius: 1.2em;
506 |         -webkit-transform: scale(0.7);
507 |         transform: scale(0.7);
508 |         left: 0;
509 |         box-shadow: 0 1px rgba(0, 0, 0, 0.5);
510 |         -webkit-transition: left 0.1s ease-in-out;
511 |         transition: left 0.1s ease-in-out;
512 |     }
513 |     label input[type=checkbox].toggle:checked {
514 |         background: #5791CE;
515 | 
516 |     }
517 |     label input[type=checkbox].toggle:checked::after {
518 |         left: 1.5em;
519 |     }
520 | 
521 |     .modal {
522 |         background: rgb(42, 57, 70, 80%);
523 | 
524 |     }
525 | 
526 |     .modal-content {
527 |         width:100%;
528 |         background: #efefef;
529 |         border: 5px solid #555;
530 |     }
531 | 
532 |     .modal-title {
533 |         padding: 0 16px 0 16px;
534 |     }
535 | 
536 |     .modal-body {
537 |         padding: 32px;
538 |         background: #fafafa;
539 |     }
540 | 
541 |     .green {
542 |         border: 1px solid green;
543 |     }
544 |     .orange {
545 |         border: 2px solid orange;
546 |     }
547 |     .red {
548 |         border: 3px solid red;
549 |     }
550 | 
551 |     .close {
552 |         padding-top: 8px;
553 |     }
554 | 
555 |     .modal-dialog-centered {
556 |         display:-webkit-box;
557 |         display:-ms-flexbox;
558 |         display:flex;
559 |         -webkit-box-align:center;
560 |         -ms-flex-align:center;
561 |         align-items:center;
562 |         min-height:calc(100% - (.5rem * 2));
563 |     }
564 | 
565 |     @media (min-width: 576px) {
566 |         .modal-dialog-centered {
567 |             min-height:calc(100% - (1.75rem * 2));
568 |         }
569 |     }
570 | </style>
571 | 


--------------------------------------------------------------------------------