szepeviktor · amiga-500 · Feb 2, 2017 · Feb 2, 2017
diff --git a/BrowserCache_ConfigLabels.php b/BrowserCache_ConfigLabels.php
@@ -35,7 +35,38 @@ public function config_labels( $config_labels ) {
 				'browsercache.other.w3tc' => __( 'Set W3 Total Cache header', 'w3-total-cache' ),
 				'browsercache.other.compression' => __( 'Enable <acronym title="Hypertext Transfer Protocol">HTTP</acronym> (gzip) compression</label>', 'w3-total-cache' ),
 				'browsercache.other.replace' => __( 'Prevent caching of objects after settings change', 'w3-total-cache' ),
-				'browsercache.other.nocookies' => __( 'Disable cookies for static files', 'w3-total-cache' )
+				'browsercache.other.nocookies' => __( 'Disable cookies for static files', 'w3-total-cache' ),
+                'browsercache.security.session.cookie_httponly' => __( 'Access session cookies through the HTTP protocol only', 'w3-total-cache' ),
+                'browsercache.security.session.cookie_secure' => __( 'Send session cookies only to secure connections', 'w3-total-cache' ),
+                'browsercache.security.session.use_only_cookies' => __( 'Use cookies to store session IDs in the user\'s browser', 'w3-total-cache' ),
+                'browsercache.security.hsts' => __( '<acronym title="Hypertext Transfer Protocol">HTTP</acronym> Strict Transport Security policy', 'w3-total-cache' ),
+                'browsercache.security.hsts.directive' => __( 'Directive:', 'w3-total-cache' ),
+				'browsercache.security.xfo' => __( 'X-Frame-Options', 'w3-total-cache' ),
+                'browsercache.security.xfo.directive' => __( 'Directive:', 'w3-total-cache' ),
+				'browsercache.security.xss' => __( 'X-XSS-Protection', 'w3-total-cache' ),
+                'browsercache.security.xss.directive' => __( 'Directive:', 'w3-total-cache' ),
+				'browsercache.security.xcto' => __( 'X-Content-Type-Options', 'w3-total-cache' ),
+                'browsercache.security.pkp' => __( 'HTTP Public Key Pinning', 'w3-total-cache' ),
+                'browsercache.security.pkp.pin' => __( 'Public Key:', 'w3-total-cache' ),
+                'browsercache.security.pkp.pin.backup' => __( 'Public Key (Backup):', 'w3-total-cache' ),
+                'browsercache.security.pkp.extra' => __( 'Extra Parameters:', 'w3-total-cache' ),
+                'browsercache.security.pkp.report.url' => __( 'Report URL:', 'w3-total-cache' ),
+                'browsercache.security.pkp.report.only' => __( 'Report Mode Only:', 'w3-total-cache' ),
+                'browsercache.security.csp' => __( 'Content Security Policy', 'w3-total-cache' ),
+                'browsercache.security.csp.base' => __( 'base-uri:', 'w3-total-cache' ),
+                'browsercache.security.csp.frame' => __( 'frame-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.connect' => __( 'connect-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.font' => __( 'font-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.script' => __( 'script-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.style' => __( 'style-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.img' => __( 'img-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.media' => __( 'media-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.object' => __( 'object-src:', 'w3-total-cache' ),
+                'browsercache.security.csp.plugin' => __( 'plugin-types:', 'w3-total-cache' ),
+                'browsercache.security.csp.form' => __( 'form-action:', 'w3-total-cache' ),
+                'browsercache.security.csp.frame.ancestors' => __( 'frame-ancestors:', 'w3-total-cache' ),
+                'browsercache.security.csp.sandbox' => __( 'sandbox:', 'w3-total-cache' ),
+                'browsercache.security.csp.default' => __( 'default-src:', 'w3-total-cache' )
 			) );
 	}
 }
diff --git a/BrowserCache_Environment.php b/BrowserCache_Environment.php
@@ -334,10 +334,97 @@ private function rules_cache_generate_apache( $config ) {
 			$rules .= $this->_rules_cache_generate_apache_for_type( $config,
 				$extensions, $type );
 
-		if ( $config->get_boolean( 'browsercache.hsts' ) ) {
-			$lifetime = $config->get_integer( 'browsercache.other.lifetime' );
+        $sec = "    php_flag session.cookie_httponly " . ( $config->get_boolean( 'browsercache.security.session.cookie_httponly' ) ? "on" : "off" ) . "\n" .
+               "    php_flag session.cookie_secure " . ( $config->get_boolean( 'browsercache.security.session.cookie_secure' ) ? "on" : "off" ) . "\n" .
+               "    php_flag session.use_only_cookies " . ( $config->get_boolean( 'browsercache.security.session.use_only_cookies' ) ? "on" : "off" ) . "\n</ifModule>\n";
+
+        $rules .= "<IfModule mod_php5.c>\n";
+        $rules .= $sec;
+        $rules .= "<IfModule mod_php7.c>\n";
+        $rules .= $sec;
+        $rules .= "<IfModule mod_suphp.c>\n";
+        $rules .= $sec;
+
+		if ( $config->get_boolean( 'browsercache.security.hsts' ) ||
+             $config->get_boolean( 'browsercache.security.xfo' )  ||
+             $config->get_boolean( 'browsercache.security.xss' )  ||
+             $config->get_boolean( 'browsercache.security.xcto' ) ||
+             $config->get_boolean( 'browsercache.security.pkp' )  ||
+             $config->get_boolean( 'browsercache.security.csp' )
+           ) {
+            $lifetime = $config->get_integer( 'browsercache.other.lifetime' );
+
 			$rules .= "<IfModule mod_headers.c>\n";
-			$rules .= "    Header set strict-transport-security \"max-age=$lifetime\"\n";
+
+            if ( $config->get_boolean( 'browsercache.security.hsts' ) ) {
+                $dir = $config->get_string( 'browsercache.security.hsts.directive' );
+                $rules .= "    Header set Strict-Transport-Security \"max-age=$lifetime" . ( strpos( $dir,"inc" ) ? "; includeSubDomains" : "" ) . ( strpos( $dir, "pre" ) ? "; preload" : "" ) . "\"\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.xfo' ) ) {
+                $dir = $config->get_string( 'browsercache.security.xfo.directive' );
+                $url = trim( $config->get_string( 'browsercache.security.xfo.allow' ) );
+                if ( empty( $url ) ) {
+                    $url = Util_Environment::home_url_maybe_https();
+                }
+                $rules .= "    Header always append X-Frame-Options \"" . ( $dir == "same" ? "SAMEORIGIN" : ( $dir == "deny" ? "DENY" : "ALLOW-FROM $url" ) ) . "\"\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.xss' ) ) {
+                $dir = $config->get_string( 'browsercache.security.xss.directive' );
+                $rules .= "    Header set X-XSS-Protection \"" . ( $dir == "block" ? "1; mode=block" : $dir ) . "\"\n";
+
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.xcto' ) ) {
+                $rules .= "    Header set X-Content-Type-Options \"nosniff\"\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.pkp' ) ) {
+                $pin = trim( $config->get_string( 'browsercache.security.pkp.pin' ) );
+                $pinbak = trim( $config->get_string( 'browsercache.security.pkp.pin.backup' ) );
+                $extra = $config->get_string( 'browsercache.security.pkp.extra' );
+                $url = trim( $config->get_string( 'browsercache.security.pkp.report.url' ) );
+                $rep_only = $config->get_string( 'browsercache.security.pkp.report.only' ) == '1' ? true : false;
+                $rules .= "    Header set " . ( $rep_only ? "Public-Key-Pins-Report-Only" : "Public-Key-Pins" ) . " \"pin-sha256=\\\"$pin\\\"; pin-sha256=\\\"$pinbak\\\"; max-age=$lifetime" . ( strpos( $extra,"inc" ) ? "; includeSubDomains" : "" ) . ( !empty( $url ) ? "; report-uri=\\\"$url\\\"" : "" ) . "\"\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.csp' ) ) {
+                $base = trim( $config->get_string( 'browsercache.security.csp.base' ) );
+                $frame = trim( $config->get_string( 'browsercache.security.csp.frame' ) );
+                $connect = trim( $config->get_string( 'browsercache.security.csp.connect' ) );
+                $font = trim( $config->get_string( 'browsercache.security.csp.font' ) );
+                $script = trim( $config->get_string( 'browsercache.security.csp.script' ) );
+                $style = trim( $config->get_string( 'browsercache.security.csp.style' ) );
+                $img = trim( $config->get_string( 'browsercache.security.csp.img' ) );
+                $media = trim( $config->get_string( 'browsercache.security.csp.media' ) );
+                $object = trim( $config->get_string( 'browsercache.security.csp.object' ) );
+                $plugin = trim( $config->get_string( 'browsercache.security.csp.plugin' ) );
+                $form = trim( $config->get_string( 'browsercache.security.csp.form' ) );
+                $frame_ancestors = trim( $config->get_string( 'browsercache.security.csp.frame.ancestors' ) );
+                $sandbox = $config->get_string( 'browsercache.security.csp.sandbox' );
+                $default = trim( $config->get_string( 'browsercache.security.csp.default' ) );
+
+                $dir = rtrim( ( !empty( $base ) ? "base-uri $base; " : "" ).
+                       ( !empty( $frame ) ? "frame-src $frame; " : "" ).
+                       ( !empty( $connect ) ? "connect-src $connect; " : "" ).
+                       ( !empty( $font ) ? "font-src $font; " : "" ).
+                       ( !empty( $script ) ? "script-src $script; " : "" ).
+                       ( !empty( $style ) ? "style-src $style; " : "" ).
+                       ( !empty( $img ) ? "img-src $img; " : "" ).
+                       ( !empty( $media ) ? "media-src $media; " : "" ).
+                       ( !empty( $object ) ? "object-src $object; " : "" ).
+                       ( !empty( $plugin ) ? "plugin-types $plugin; " : "" ).
+                       ( !empty( $form ) ? "form-action $form; " : "" ).
+                       ( !empty( $frame_ancestors ) ? "frame-ancestors $frame_ancestors; " : "" ).
+                       ( !empty( $sandbox ) ? "sandbox " . trim( $sandbox ) . "; " : "" ).
+                       ( !empty( $default ) ? "default-src $default;" : "" ), "; " );
+
+                if ( !empty( $dir ) ) {
+                    $rules .= "    Header set Content-Security-Policy \"$dir\"\n";
+                }
+            }
+
 			$rules .= "</IfModule>\n";
 		}
 
@@ -561,10 +648,88 @@ private function rules_cache_generate_nginx( $config, $cdnftp = false ) {
 			$this->_rules_cache_generate_nginx_for_type( $config, $rules,
 				$extensions, $type );
 
-		if ( $config->get_boolean( 'browsercache.hsts' ) ) {
-			$lifetime = $config->get_integer( 'browsercache.other.lifetime' );
-			$rules .= "add_header strict-transport-security \"max-age=$lifetime\";\n";
-		}
+        $rules .= "fastcgi_param PHP_FLAG \"session.cookie_httponly=" . ( $config->get_boolean( 'browsercache.security.session.cookie_httponly' ) ? "on" : "off" ) . "\n" .
+        "session.cookie_secure=" . ( $config->get_boolean( 'browsercache.security.session.cookie_secure' ) ? "on" : "off" ) . "\n" .
+        "session.use_only_cookies=" . ( $config->get_boolean( 'browsercache.security.session.use_only_cookies' ) ? "on" : "off" ) . "\";";
+
+        if ( $config->get_boolean( 'browsercache.security.hsts' ) ||
+             $config->get_boolean( 'browsercache.security.xfo' )  ||
+             $config->get_boolean( 'browsercache.security.xss' )  ||
+             $config->get_boolean( 'browsercache.security.xcto' ) ||
+             $config->get_boolean( 'browsercache.security.pkp' )  ||
+             $config->get_boolean( 'browsercache.security.csp' )
+           ) {
+            $lifetime = $config->get_integer( 'browsercache.other.lifetime' );
+
+            if ( $config->get_boolean( 'browsercache.security.hsts' ) ) {
+                $dir = $config->get_string( 'browsercache.security.hsts.directive' );
+                $rules .= "add_header Strict-Transport-Security \"max-age=$lifetime" . ( strpos( $dir,"inc" ) ? "; includeSubDomains" : "" ) . ( strpos( $dir, "pre" ) ? "; preload" : "" ) . "\";\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.xfo' ) ) {
+                $dir = $config->get_string( 'browsercache.security.xfo.directive' );
+                $url = trim( $config->get_string( 'browsercache.security.xfo.allow' ) );
+                if ( empty( $url ) ) {
+                    $url = Util_Environment::home_url_maybe_https();
+                }
+                $rules .= "add_header X-Frame-Options \"" . ( $dir == "same" ? "SAMEORIGIN" : ( $dir == "deny" ? "DENY" : "ALLOW-FROM $url" ) ) . "\";\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.xss' ) ) {
+                $dir = $config->get_string( 'browsercache.security.xss.directive' );
+                $rules .= "add_header X-XSS-Protection \"" . ( $dir == "block" ? "1; mode=block" : $dir ) . "\";\n";
+
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.xcto' ) ) {
+                $rules .= "add_header X-Content-Type-Options \"nosniff\";\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.pkp' ) ) {
+                $pin = trim( $config->get_string( 'browsercache.security.pkp.pin' ) );
+                $pinbak = trim( $config->get_string( 'browsercache.security.pkp.pin.backup' ) );
+                $extra = $config->get_string( 'browsercache.security.pkp.extra' );
+                $url = trim( $config->get_string( 'browsercache.security.pkp.report.url' ) );
+                $rep_only = $config->get_string( 'browsercache.security.pkp.report.only' ) == '1' ? true : false;
+                $rules .= "add_header " . ( $rep_only ? "Public-Key-Pins-Report-Only" : "Public-Key-Pins" ) . " 'pin-sha256=\"$pin\"; pin-sha256=\"$pinbak\"; max-age=$lifetime" . ( strpos( $extra,"inc" ) ? "; includeSubDomains" : "" ) . ( !empty( $url ) ? "; report-uri=\"$url\"" : "" ) . "';\n";
+            }
+
+            if ( $config->get_boolean( 'browsercache.security.csp' ) ) {
+                $base = trim( $config->get_string( 'browsercache.security.csp.base' ) );
+                $frame = trim( $config->get_string( 'browsercache.security.csp.frame' ) );
+                $connect = trim( $config->get_string( 'browsercache.security.csp.connect' ) );
+                $font = trim( $config->get_string( 'browsercache.security.csp.font' ) );
+                $script = trim( $config->get_string( 'browsercache.security.csp.script' ) );
+                $style = trim( $config->get_string( 'browsercache.security.csp.style' ) );
+                $img = trim( $config->get_string( 'browsercache.security.csp.img' ) );
+                $media = trim( $config->get_string( 'browsercache.security.csp.media' ) );
+                $object = trim( $config->get_string( 'browsercache.security.csp.object' ) );
+                $plugin = trim( $config->get_string( 'browsercache.security.csp.plugin' ) );
+                $form = trim( $config->get_string( 'browsercache.security.csp.form' ) );
+                $frame_ancestors = trim( $config->get_string( 'browsercache.security.csp.frame.ancestors' ) );
+                $sandbox = $config->get_string( 'browsercache.security.csp.sandbox' );
+                $default = trim( $config->get_string( 'browsercache.security.csp.default' ) );
+
+                $dir = rtrim( ( !empty( $base ) ? "base-uri $base; " : "" ).
+                       ( !empty( $frame ) ? "frame-src $frame; " : "" ).
+                       ( !empty( $connect ) ? "connect-src $connect; " : "" ).
+                       ( !empty( $font ) ? "font-src $font; " : "" ).
+                       ( !empty( $script ) ? "script-src $script; " : "" ).
+                       ( !empty( $style ) ? "style-src $style; " : "" ).
+                       ( !empty( $img ) ? "img-src $img; " : "" ).
+                       ( !empty( $media ) ? "media-src $media; " : "" ).
+                       ( !empty( $object ) ? "object-src $object; " : "" ).
+                       ( !empty( $plugin ) ? "plugin-types $plugin; " : "" ).
+                       ( !empty( $form ) ? "form-action $form; " : "" ).
+                       ( !empty( $frame_ancestors ) ? "frame-ancestors $frame_ancestors; " : "" ).
+                       ( !empty( $sandbox ) ? "sandbox " . trim( $sandbox ) . "; " : "" ).
+                       ( !empty( $default ) ? "default-src $default;" : "" ), "; " );
+
+                if ( !empty( $dir ) ) {
+                    $rules .= "add_header Content-Security-Policy \"$dir\";\n";
+                }
+            }
+        }
 
 		$rules .= W3TC_MARKER_END_BROWSERCACHE_CACHE . "\n";