Extended security-related HTTP headers

Signed-off-by: Martin Herndl <martin.herndl@world4you.com>
phpmyadmin · Aug 27, 2015 · 699d55f · 699d55f
1 parent 95a7362
commit 699d55f
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/libraries/Header.class.php b/libraries/Header.class.php
@@ -593,6 +593,22 @@ public function sendHttpHeaders()
             . $captcha_url
             . ";"
         );
+        // Re-enable possible disabled XSS filters
+        // see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+        header(
+            'X-XSS-Protection: 1; mode=block'
+        );
+        // "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a
+        // response away from the declared content-type
+        /// see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+        header(
+            'X-Content-Type-Options: nosniff'
+        );
+        // Adobe cross-domain-policies
+        // see http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
+        header(
+            'X-Permitted-Cross-Domain-Policies: none'
+        );
         PMA_noCacheHeader();
         if (! defined('IS_TRANSFORMATION_WRAPPER')) {
             // Define the charset to be used