TIP SecurityHeadersPlugin is not installed on Foswiki.org.

SecurityHeadersPlugin

Add HTTP security headers to protect against XSS attacks

HTTP headers are included in every HTTP response from a web server. Setting the appropriate HTTP headers can reduce the risk of man-in-the-middle and cross-site-scripting attacks on a web application. You can also reduce information leaks about the web application configuration - vital data that gives a would-be attacker clues about potential vulnerabilities. Read on to find out how to set the appropriate headers in your Perl web application.

The following headers are set:

  • X-Frame-Options: protect site from being loaded into an frame or iframe (specs)
  • Strict-Transport-Security: requester to load all content via HTTPS
  • Content-Security-Policy: sets a whitelist of domains from which content can be safely loaded (specs)
  • Referrer-Policy: decide when to set the Referrer header (documentation)

IE-only headers:

  • X-Content-Type-Options: disable mime sniffing, disabled by default in IE but enforced anyway.
  • X-Download-Options: prevent IE from opening an HTML file directly
  • X-XSS-Protection: turn on its XSS filter

Deprecated headers:

  • X-Content-Security-Policy: IE10+
  • X-Webkit-CSP: iOS Safari 5.0-5.1

These two headers can be switched on optionally to support browsers not yet using the standard hearders.

For more information see also:

Installation Instructions

You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.

Open configure, and open the "Extensions" section. "Extensions Operation and Maintenance" Tab -> "Install, Update or Remove extensions" Tab. Click the "Search for Extensions" button. Enter part of the extension name or description and press search. Select the desired extension(s) and click install. If an extension is already installed, it will not show up in the search results.

You can also install from the shell by running the extension installer as the web server user: (Be sure to run as the webserver user, not as root!)
cd /path/to/foswiki
perl tools/extension_installer <NameOfExtension> install

If you have any problems, or if the extension isn't available in configure, then you can still install manually from the command-line. See https://foswiki.org/Support/ManuallyInstallingExtensions for more help.

Dependencies

None

Change History

26 Jan 2024 added referrer policy; added service worker allowed; added more content security policies; removed deprecated child source policy; better defaults
17 Oct 2018 more reasonable default settings
09 Sep 2016 added child-src policty in addition to the now deprected frame-src
08 Mar 2016 fixed xss protection
I Attachment Action Size Date Who Comment
SecurityHeadersPlugin.md5md5 SecurityHeadersPlugin.md5 manage 186 bytes 26 Jan 2024 - 08:25 MichaelDaum  
SecurityHeadersPlugin.sha1sha1 SecurityHeadersPlugin.sha1 manage 210 bytes 26 Jan 2024 - 08:25 MichaelDaum  
SecurityHeadersPlugin.tgztgz SecurityHeadersPlugin.tgz manage 7 K 26 Jan 2024 - 08:25 MichaelDaum  
SecurityHeadersPlugin.zipzip SecurityHeadersPlugin.zip manage 11 K 26 Jan 2024 - 08:25 MichaelDaum  
SecurityHeadersPlugin_installerEXT SecurityHeadersPlugin_installer manage 4 K 26 Jan 2024 - 08:25 MichaelDaum  
Topic revision: r5 - 26 Jan 2024, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy