Merge pull request #262 from MW0MWZ/master

Additional security headers to improve security score (dashboard2)
2025-12-06 07:42:01 +01:00 · 2025-11-24 11:25:51 +01:00 · 2025-11-24 11:25:51 +01:00 · a9db71815a
parent 14dfdc656c 3e86aa65c7
commit a9db71815a
3 changed files with 58 additions and 1 deletions
--- a/dashboard2/changes.txt
+++ b/dashboard2/changes.txt
@ -1,3 +1,14 @@
+xlx db v2.3.9
+
+SECURITY UPDATE - Minor upgrade to further improve dashboard security
+
+ - "index.php"
+  * Added additional security headders to improve security score for dashbaord application.
+  * Add Content Security Policy
+  * Add Permissions Policy
+  * Add Transport Security Policy
+
+
 xlx db v2.3.8

 SECURITY UPDATE - XSS Vulnerability Patches and Security Enhancements
--- a/dashboard2/index.php
+++ b/dashboard2/index.php
@ -1,6 +1,52 @@
 <?php
+// Check if we are serving HTTPS
+function isHttps() {
+    // Check standard HTTPS indicators
+    if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+        return true;
+    }
+    if (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) {
+        return true;
+    }
+    // Check for proxy/load balancer headers
+    if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
+        return true;
+    }
+    if (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] === 'on') {
+        return true;
+    }
+    return false;
+}
+
 session_start();

+// Security headers
+$isHttps = isHttps();
+header("X-Frame-Options: SAMEORIGIN");
+header("X-Content-Type-Options: nosniff");
+header("X-XSS-Protection: 1; mode=block");
+header("Referrer-Policy: strict-origin-when-cross-origin");
+header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+
+// Build CSP based on protocol
+// Allow external images via both http: and https: since we can't control external links
+$imgSrc = $isHttps ? "'self' data: https:" : "'self' data: http: https:";
+
+$csp = "default-src 'self'; " .
+        "script-src 'self' 'unsafe-inline'; " .
+        "style-src 'self' 'unsafe-inline'; " .
+        "img-src {$imgSrc}; " .
+        "connect-src 'self'; " .
+        "frame-ancestors 'self'";
+
+header("Content-Security-Policy: " . $csp);
+
+// Only add HSTS if served over HTTPS
+if ($isHttps) {
+        // HSTS: Force HTTPS for 1 year, but don't include subdomains (might be on local network)
+        header("Strict-Transport-Security: max-age=31536000");
+}
+
 /*
 *  This dashboard is being developed by the DVBrazil Team as a courtesy to
 *  the XLX Multiprotocol Gateway Reflector Server project.
--- a/dashboard2/pgs/config.inc.php
+++ b/dashboard2/pgs/config.inc.php
@ -16,7 +16,7 @@ $PageOptions = array();

 $PageOptions['ContactEmail']                         = 'your_email';		    // Support E-Mail address

-$PageOptions['DashboardVersion']                     = '2.3.8';       			// Dashboard Version
+$PageOptions['DashboardVersion']                     = '2.3.9';       			// Dashboard Version

 $PageOptions['PageRefreshActive']                    = true;          			// Activate automatic refresh
 $PageOptions['PageRefreshDelay']                     = '10000';       			// Page refresh time in miliseconds