[#13976] Security Headers
Summary Security Headers
Queue Horde Groupware
Queue Version 5.2.6
Type Enhancement
State Feedback
Priority 1. Low
Requester o+horde (at) immerda (dot) ch
Created 2015-05-01 (2362 days ago)
Updated 2016-01-22 (2096 days ago)
Patch No

2016-01-22 12:02:45 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
A patch to start with would be great.
See request #10391
2015-05-01 10:08:06 o+horde (at) immerda (dot) ch Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 1. Low
Summary ⇒ Security Headers
Queue ⇒ Horde Groupware
Milestone ⇒
Patch ⇒ No
Reply to this comment
It has increasingly become good practice to set a number of security 
related http headers. We are currently maintaining our own set of 
headers for horde, but I think it would make sense to maintain them 
directly within horde and enable by default. Other projects (e.g. 
Owncloud) have also begun to do so.

In detail we propose to add the following headers:

-> sameorigin is needed for the attachment upload

2) X-Content-Type-Options: nosniff
-> no problems encountered

3) Content-Security-Policy: default-src 'self'; script-src 
'unsafe-eval' 'unsafe-inline' 'self'; object-src 'self'; style-src 
'unsafe-inline' 'self'; img-src data: 'self'; media-src 'self'; 
frame-src 'self'; font-src 'self'; connect-src 'self';
-> this is fairly restrictive and might break things. E.g. for the imp 
"open html in separate window" function we have a different policy, 
basically lifting restrictions for img-src and style-src to allow 
external elements. I assume other parts of horde would need similar 
-> But CSP headers are really, really important and I would love to 
see them officially supported! E.g. we where not affected by the 
latest XSS in the html editor thanks to them.
-> at least frame, script, object and connect could probably be set 
without breaking anything.

If there is interest but no resources please tell me so, I might be 
able to provide a patch.

Saved Queries