External-Mirrors/nextcloudpi
2
0
Fork 0
mirror of https://github.com/nextcloud/nextcloudpi.git synced 2026-01-09 14:42:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

wizard: fix headers

Browse Source
This commit is contained in:
nachoparker 2019-03-09 02:31:17 -07:00
parent 1a46667df5
commit f5ba0b10ee
2 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelog.md
View File

@ -1,5 +1,7 @@
[v1.9.2](https://github.com/nextcloud/nextcloudpi/commit/8e97067) (2019-03-08) cleanup update.sh
[v1.9.3](https://github.com/nextcloud/nextcloudpi/commit/94bdbc3) (2019-03-09) wizard: fix headers
[v1.9.2](https://github.com/nextcloud/nextcloudpi/commit/1a46667) (2019-03-08) cleanup update.sh
[v1.9.1 ](https://github.com/nextcloud/nextcloudpi/commit/060f004) (2019-03-03) fix LE cron

42
ncp-web/wizard/index.php
View File

@ -1,3 +1,29 @@
<?php
/*
NextCloudPi Wizard
Copyleft 2017 by Pantelis Sarantos and Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
GPL licensed (see end of file) * Use at your own risk!
More at https://nextcloudpi.com
**/
ini_set('session.cookie_httponly', 1);
if ( isset($_SERVER['HTTPS']) )
ini_set('session.cookie_secure', 1);
session_start();
// security headers
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
header("X-XSS-Protection: 1; mode=block");
header("X-Content-Type-Options: nosniff");
header("X-Robots-Tag: none");
header("X-Permitted-Cross-Domain-Policies: none");
header("X-Frame-Options: DENY");
header("Cache-Control: max-age=15778463");
?>
<!DOCTYPE html>
<html>
<head>
@ -7,22 +33,6 @@
<!-- Bootstrap -->
<link href="bootstrap/css/bootstrap.min.css" rel="stylesheet">
<link href="CSS/wizard.css" rel="stylesheet">
<?php
session_start();
ini_set('session.cookie_httponly', 1);
if ( isset($_SERVER['HTTPS']) )
ini_set('session.cookie_secure', 1);
// security headers
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
header("X-XSS-Protection: 1; mode=block");
header("X-Content-Type-Options: nosniff");
header("X-Robots-Tag: none");
header("X-Permitted-Cross-Domain-Policies: none");
header("X-Frame-Options: DENY");
header("Cache-Control: max-age=15778463");
?>
<link rel="icon" type="image/png" href="../img/favicon.png" />
</head>
<body>