Subject Re: Setting options regarding security
From Martin Altmann <altmann@altem.de>
Date Thu, 1 Jul 2021 22:54:38 +0200
Newsgroups xb2net

Am 01.07.2021 um 16:41 schrieb Boris Borzic:
> Please have a look at the FilterRequest function in WEBSERVE.PRG included
> with v4.1. Some of these settings have been included, you can add your own.
>
> Also, whenever you upgrade versions, I strongly recommend to compare the
> included source code with previous versions as well as your own versions of
> these. The changes in source code may include bug fixes, security updates
> and best practice experience.
>
Boris,
thank you very much - I did as advised but it is not working. The
headers are ignored.
My function looks similar to yours:

Function FilterRequest(oClient)
   Local i
   Local cHost := oClient:HTTPRequest:Host()
   Local cPath := oClient:HTTPRequest:Path()

    oClient:HttpResponse:SetHeader("Referrer-Policy", "same-origin")
    oClient:HttpResponse:SetHeader("X-Content-Type-Options", "nosniff")
    oClient:HttpResponse:SetHeader("X-Frame-Options", "SAMEORIGIN")
    oClient:HttpResponse:SetHeader("Strict-Transport-Security",
"max-age=31536000; includeSubDomains; preload")
    oClient:HttpResponse:SetHeader("Content-Security-Policy",
"default-src 'none'; script-src 'self'; connect-src 'self'; img-src
'self'; style-src 'self';base-uri 'self';form-action 'self'")

   if valtype( cHost ) == "U"
           cHost := ""
   endif
   if valtype( cPath ) == "U"
           cPath := ""
   endif
         if ".php" $ cPath .or. ".cgi" $ cPath .or. "cgi-bin" $ cPath
.or. ".asp" $ cPath
                 oClient:NoLog := .t.
                 oClient:close()
                 Return .F.
         endif


         if MEMVAR->lForceHttps .and. !empty( cHost ) .and.
!oClient:isSecure()
                 oClient:HTTPResponse:StatusCode := 301
                 oClient:HTTPResponse:Location("https://" + cHost +
oClient:HTTPRequest:xbURI:AsString(.T.))
                 Return .F.
         endif

Return .T.

When using a browsers object inspector, I do not see those headers being
set.
I am using no static html-pages - all pages are been built in-memory and
returned to the client. Would I have to set those headers inside each of
those functions building a page?

Best regards,
Martin

--
______________________________

Deutschsprachiges Xbase-Forum:
http://www.xbaseforum.de/
______________________________

Recent messages in this thread
 
-# Setting options regarding security Martin Altmann 01-Jul-2021 05:05 am
.-# Re: Setting options regarding security Boris Borzic <.> 01-Jul-2021 10:41 am
..-# Re: Setting options regarding security (Current message) Martin Altmann 01-Jul-2021 04:54 pm
...-# Re: Setting options regarding security Boris Borzic <.> 01-Jul-2021 06:51 pm
....-# Re: Setting options regarding security Martin Altmann 02-Jul-2021 01:47 am
.....-# Re: Setting options regarding security Martin Altmann 02-Jul-2021 03:48 am
......-# Re: Setting options regarding security Martin Altmann 04-Jul-2021 04:38 am
.......-# Re: Setting options regarding security Boris Borzic <.> 05-Jul-2021 06:44 pm
........\# Re: Setting options regarding security Martin Altmann 05-Jul-2021 11:12 pm