LX3JL/xlxd
1
0
Fork 0
mirror of https://github.com/LX3JL/xlxd.git synced 2025-12-06 07:42:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #262 from MW0MWZ/master

Browse source 
Additional security headers to improve security score (dashboard2)
This commit is contained in:
LX1IQ 2025-11-24 11:25:51 +01:00 committed by GitHub
parent 14dfdc656c 3e86aa65c7
commit a9db71815a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 58 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
dashboard2/changes.txt
View file

@ -1,3 +1,14 @@
xlx db v2.3.9
SECURITY UPDATE - Minor upgrade to further improve dashboard security
- "index.php"
* Added additional security headders to improve security score for dashbaord application.
* Add Content Security Policy
* Add Permissions Policy
* Add Transport Security Policy
xlx db v2.3.8 xlx db v2.3.8
SECURITY UPDATE - XSS Vulnerability Patches and Security Enhancements SECURITY UPDATE - XSS Vulnerability Patches and Security Enhancements

46
dashboard2/index.php
View file

@ -1,6 +1,52 @@
<?php <?php
// Check if we are serving HTTPS
function isHttps() {
// Check standard HTTPS indicators
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
return true;
}
if (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) {
return true;
}
// Check for proxy/load balancer headers
if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
return true;
}
if (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] === 'on') {
return true;
}
return false;
}
session_start(); session_start();
// Security headers
$isHttps = isHttps();
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
// Build CSP based on protocol
// Allow external images via both http: and https: since we can't control external links
$imgSrc = $isHttps ? "'self' data: https:" : "'self' data: http: https:";
$csp = "default-src 'self'; " .
"script-src 'self' 'unsafe-inline'; " .
"style-src 'self' 'unsafe-inline'; " .
"img-src {$imgSrc}; " .
"connect-src 'self'; " .
"frame-ancestors 'self'";
header("Content-Security-Policy: " . $csp);
// Only add HSTS if served over HTTPS
if ($isHttps) {
// HSTS: Force HTTPS for 1 year, but don't include subdomains (might be on local network)
header("Strict-Transport-Security: max-age=31536000");
}
/* /*
* This dashboard is being developed by the DVBrazil Team as a courtesy to * This dashboard is being developed by the DVBrazil Team as a courtesy to
* the XLX Multiprotocol Gateway Reflector Server project. * the XLX Multiprotocol Gateway Reflector Server project.

2
dashboard2/pgs/config.inc.php
View file

@ -16,7 +16,7 @@ $PageOptions = array();
$PageOptions['ContactEmail'] = 'your_email'; // Support E-Mail address $PageOptions['ContactEmail'] = 'your_email'; // Support E-Mail address
$PageOptions['DashboardVersion'] = '2.3.8'; // Dashboard Version $PageOptions['DashboardVersion'] = '2.3.9'; // Dashboard Version
$PageOptions['PageRefreshActive'] = true; // Activate automatic refresh $PageOptions['PageRefreshActive'] = true; // Activate automatic refresh
$PageOptions['PageRefreshDelay'] = '10000'; // Page refresh time in miliseconds $PageOptions['PageRefreshDelay'] = '10000'; // Page refresh time in miliseconds