Hi All,
Let me know if there are some default policies we could add that would help. We'll also work to make things more compliant and strict as we continue to update the codebase.
In the meantime, I've made it possible to add or modify the headers with a plugin for the next release. Here's how to apply that patch if you'd like to do that now.
In /lib/headers.php find this block of code at the top
// show headers - prevent caching of CMS pages
header('Content-type: text/html; charset=utf-8');
header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
header('Pragma: no-cache');
header('Expires: 0');
Replace it with this:
// headers: prevent caching of CMS pages
$headers = [];
$headers[] = 'Content-type: text/html; charset=utf-8';
$headers[] = 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0';
$headers[] = 'Pragma: no-cache';
$headers[] = 'Expires: 0';
$headers = applyFilters('headers', $headers); // Allow plugins to modify headers
array_map('header', $headers); // Call PHP header() for each header
header_remove('X-Powered-By'); // Security: Prevent information disclosure, eg: X-Powered-By: PHP/8.0.11
Then add this plugin (modify as needed):
<?php
/*
Plugin Name: CSP Headers
Description: Add CSP Headers (requires CMSB 3.63 or a patch)
Version: 1.00
*/
// Plugin Actions
addFilter('headers', 'addCspHeaders', null, 1);
//
function addCspHeaders($headers) {
$headers[] = "X-Frame-Options: SAMEORIGIN";
$headers[] = "X-XSS-Protection: 1; mode=block";
$headers[] = "X-Content-Type-Options: nosniff";
$headers[] = "Content-Security-Policy: default-src * data: blob:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; img-src https: http://www.YOURSITE.com http://*.YOURSITESUBDOMAIN.com data: blob:; frame-src https:; base-uri *; worker-src * https: blob:;";
$headers[] = "Permissions-Policy: camera=(), geolocation=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), hid=()";
return $headers;
}
Hope that helps! Let me know if that works for you.
Dave Edis - Senior Developer
interactivetools.com