enabling XSS protections on f-droid.org

HTTP Headers can configure a number of browser protections for XSS attacks. Currently, f-droid.org is not configured to use them:

https://securityheaders.io/?q=f-droid.org&followRedirects=on

To change this, mod_headers needs to be enabled. Then .htaccess already can override FileInfo settings, which includes the Header directive.

#                                                                                                                                                 
# Setting this header will prevent MSIE from interpreting files as something                                                                      
# else than declared by the content type in the HTTP headers.                                                                                     
# Requires mod_headers to be enabled.                                                                                                             
#                                                                                                                                                 
Header always set X-Content-Type-Options: "nosniff"

#                                                                                                                                                 
# Setting this header will prevent other sites from embedding pages from this                                                                     
# site as frames. This defends against clickjacking attacks.                                                                                      
# Requires mod_headers to be enabled.                                                                                                             
#                                                                                                                                                 
Header always set X-Frame-Options: "sameorigin"

#                                                                                                                                                 
# This header is used to configure the built in reflective XSS                                                                                    
# protection found in Internet Explorer, Chrome and Safari                                                                                        
# (Webkit). Valid settings for the header are 0, which disables the                                                                               
# protection, 1 which enables the protection and 1; mode=block which                                                                              
# tells the browser to block the response if it detects an attack                                                                                 
# rather than sanitising the script.                                                                                                              
#                                                                                                                                                 
Header always set X-Xss-Protection: "1; mode=block"

#                                                                                                                                                 
# The browser will set the referrer header to the origin from which                                                                               
# the request was made, but only send referrer info to HTTPS                                                                                      
# sites. This will strip any path information from the referrer                                                                                   
# information.                                                                                                                                    
#                                                                                                                                                 
Header always set Referrer-Policy: "strict-origin"

#                                                                                                                                                 
# Content Security Policy is delivered via a HTTP response header and                                                                             
# defines approved sources of content that the browser may load.                                                                                  
#                                                                                                                                                 
Header always set Content-Security-Policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"

There is another scanner for these headers: https://securityheaders.io/?q=f-droid.org&followRedirects=on

forum.f-droid.org already gets a B. I tested this config on verification.f-droid.org: https://securityheaders.io/?q=verification.f-droid.org&followRedirects=on

changed milestone to %launch-localized

Here are more extensive tests from Observatory by Mozilla for f-droid.org and forum.f-droid.org.

It would be nice if we could entirely remove 'unsafe-inline'. That would forbid the use of inline CSS. I don't know if that is used at all in the site.

The current site can be pretty locked down, this is working right now on https://testy.at.or.at Content-Security-Policy: "default-src 'self' https://f-droid.org; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none';"

assigned to @eighthave

closed via merge request !127 (merged)