From cced874033158d938104a21b3e70ed679f87e5a8 Mon Sep 17 00:00:00 2001
From: Andy Taylor <andy@mw0mwz.co.uk>
Date: Mon, 24 Nov 2025 10:20:31 +0000
Subject: [PATCH 1/2] Add improved seciurity headders for dashboard2

---
 dashboard2/changes.txt | 11 ++++++++++
 dashboard2/index.php   | 46 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)

diff --git a/dashboard2/changes.txt b/dashboard2/changes.txt
index 17f8c4a..40d6de0 100644
--- a/dashboard2/changes.txt
+++ b/dashboard2/changes.txt
@@ -1,3 +1,14 @@
+xlx db v2.3.9
+
+SECURITY UPDATE - Minor upgrade to further improve dashboard security
+
+ - "index.php"
+  * Added additional security headders to improve security score for dashbaord application.
+  * Add Content Security Policy
+  * Add Permissions Policy
+  * Add Transport Security Policy
+
+
 xlx db v2.3.8
 
 SECURITY UPDATE - XSS Vulnerability Patches and Security Enhancements
diff --git a/dashboard2/index.php b/dashboard2/index.php
index bff4404..4453ec7 100644
--- a/dashboard2/index.php
+++ b/dashboard2/index.php
@@ -1,6 +1,52 @@
 <?php
+// Check if we are serving HTTPS
+function isHttps() {
+    // Check standard HTTPS indicators
+    if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+        return true;
+    }
+    if (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) {
+        return true;
+    }
+    // Check for proxy/load balancer headers
+    if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
+        return true;
+    }
+    if (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] === 'on') {
+        return true;
+    }
+    return false;
+}
+
 session_start();
 
+// Security headers
+$isHttps = isHttps();
+header("X-Frame-Options: SAMEORIGIN");
+header("X-Content-Type-Options: nosniff");
+header("X-XSS-Protection: 1; mode=block");
+header("Referrer-Policy: strict-origin-when-cross-origin");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+// Build CSP based on protocol
+// Allow external images via both http: and https: since we can't control external links
+$imgSrc = $isHttps ? "'self' data: https:" : "'self' data: http: https:";
+
+$csp = "default-src 'self'; " .
+        "script-src 'self' 'unsafe-inline'; " .
+        "style-src 'self' 'unsafe-inline'; " .
+        "img-src {$imgSrc}; " .
+        "connect-src 'self'; " .
+        "frame-ancestors 'self'";
+
+header("Content-Security-Policy: " . $csp);
+
+// Only add HSTS if served over HTTPS
+if ($isHttps) {
+        // HSTS: Force HTTPS for 1 year, but don't include subdomains (might be on local network)
+        header("Strict-Transport-Security: max-age=31536000");
+}
+
 /*
  *  This dashboard is being developed by the DVBrazil Team as a courtesy to
  *  the XLX Multiprotocol Gateway Reflector Server project.

From 3e86aa65c7554bb9263af824d04e1627a294021e Mon Sep 17 00:00:00 2001
From: Andy Taylor <andy@mw0mwz.co.uk>
Date: Mon, 24 Nov 2025 10:21:58 +0000
Subject: [PATCH 2/2] Update Dashboard2 version

---
 dashboard2/pgs/config.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dashboard2/pgs/config.inc.php b/dashboard2/pgs/config.inc.php
index 3b83f7a..1bb5b25 100644
--- a/dashboard2/pgs/config.inc.php
+++ b/dashboard2/pgs/config.inc.php
@@ -16,7 +16,7 @@ $PageOptions = array();
 
 $PageOptions['ContactEmail']                         = 'your_email';		    // Support E-Mail address
 
-$PageOptions['DashboardVersion']                     = '2.3.8';       			// Dashboard Version
+$PageOptions['DashboardVersion']                     = '2.3.9';       			// Dashboard Version
 
 $PageOptions['PageRefreshActive']                    = true;          			// Activate automatic refresh
 $PageOptions['PageRefreshDelay']                     = '10000';       			// Page refresh time in miliseconds