From 9cd8dc3031e031b018c8e076e2bbd6f344da40ca Mon Sep 17 00:00:00 2001 From: Josh North Date: Fri, 15 Oct 2021 22:31:52 -0400 Subject: [PATCH] Encrypt fixes, add carnum options, remove debug lines --- .htaccess | 9 ++++++++- changelang.php | 14 +++++++------- changesite.php | 14 +++++++------- classes/misc/csrf.php | 2 +- nbproject/project.properties | 2 +- src/Misc/Csrf.php | 4 ++-- 6 files changed, 26 insertions(+), 19 deletions(-) diff --git a/.htaccess b/.htaccess index 5854ceb..34095b1 100644 --- a/.htaccess +++ b/.htaccess @@ -1,2 +1,9 @@ RedirectMatch 404 /\.git - +Header append X-FRAME-OPTIONS "SAMEORIGIN" +Header append X-Content-Type-Options "nosniff" + + Header set X-XSS-Protection "1; mode=block" +# Header always append X-Frame-Options SAMEORIGIN +Header always set Strict-Transport-Security "max-age=604800; includeSubDomains" + Header set X-Content-Type-Options nosniff + diff --git a/changelang.php b/changelang.php index 0881f87..b1fa44a 100755 --- a/changelang.php +++ b/changelang.php @@ -18,11 +18,11 @@ $app_disp_lang = filter_input(INPUT_POST, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // GET SANITARY LANG CHOICE // only works with new php? - // setcookie ( 'app_disp_lang', $app_disp_lang, [ - // 'expires' => time() + 60*60*24*90, - // 'secure' => false, - // 'httponly' => false, - // 'samesite' => 'Lax', - //]); - setcookie ( 'app_disp_lang', $app_disp_lang, time() + 60*60*24*90); // SET SITE COOKIE + setcookie ( 'app_disp_lang', $app_disp_lang, [ + 'expires' => time() + 60*60*24*90, + 'secure' => false, + 'httponly' => true, + 'samesite' => 'Strict', + ]); + //setcookie ( 'app_disp_lang', $app_disp_lang, time() + 60*60*24*90); // SET SITE COOKIE header('Location: index.php'); // GO HOME UNTIL WE ADD REFERER LOGIC diff --git a/changesite.php b/changesite.php index f644959..bddb736 100755 --- a/changesite.php +++ b/changesite.php @@ -17,11 +17,11 @@ */ $site = filter_input(INPUT_POST, 'site', FILTER_SANITIZE_STRING); // GET SANITARY SITE CHOICE - //setcookie ( 'app_site', $site, [ - // 'expires' => time() + 60*60*24*90, - // 'secure' => false, - // 'httponly' => false, - // 'samesite' => 'Lax', - //]); - setcookie ( 'app_site', $site, time() + 60*60*24*90); // SET SITE COOKIE + setcookie ( 'app_site', $site, [ + 'expires' => time() + 60*60*24*90, + 'secure' => false, + 'httponly' => true, + 'samesite' => 'Strict', + ]); + //setcookie ( 'app_site', $site, time() + 60*60*24*90); // SET SITE COOKIE header('Location: index.php'); // GO HOME UNTIL WE ADD REFERER LOGIC diff --git a/classes/misc/csrf.php b/classes/misc/csrf.php index 92ebb60..63e4d6a 100644 --- a/classes/misc/csrf.php +++ b/classes/misc/csrf.php @@ -35,7 +35,7 @@ class csrf { 'expires' => $token->expiry, 'secure' => false, 'httponly' => false, - 'samesite' => 'Lax', + 'samesite' => 'Strict', ]); return $_SESSION['csrftokens'][$page] = $token; diff --git a/nbproject/project.properties b/nbproject/project.properties index 8b7302c..d552ad0 100644 --- a/nbproject/project.properties +++ b/nbproject/project.properties @@ -1,5 +1,5 @@ include.path=${php.global.include.path} -php.version=PHP_54 +php.version=PHP_72 source.encoding=UTF-8 src.dir=. tags.asp=false diff --git a/src/Misc/Csrf.php b/src/Misc/Csrf.php index 9dcba15..52d02af 100644 --- a/src/Misc/Csrf.php +++ b/src/Misc/Csrf.php @@ -36,8 +36,8 @@ class Csrf setcookie ( self::makeCookieName($page), $token->cookietoken, [ 'expires' => $token->expiry, 'secure' => false, - 'httponly' => false, - 'samesite' => 'Lax', + 'httponly' => true, + 'samesite' => 'Strict', ]); return $_SESSION['csrftokens'][$page] = $token;