mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00

Files

Théophile Gervreau-Mercier f5d3281c43 security: fix all LOW priority items from TODO.SECURITY.md

Item 13 — Remove deprecated X-XSS-Protection header
- nginx/posterg.conf: header removed (was '1; mode=block')
- nginx/SECURITY_HEADERS.md: new file documenting header decisions
  and explaining why X-XSS-Protection is counterproductive

Item 14 — Add rel="noreferrer" to external target="_blank" link
- public/admin/thanks.php: rel="noopener" → rel="noopener noreferrer"

Item 15 — Explicit (int) casts on all integer HTML outputs
- public/index.php: (int) on item id, page numbers
- public/search.php: (int) on totalItems, year options, item id, pagination

Item 16 — Remove unused DATABASE_PATH constant
- config/bootstrap.php: define('DATABASE_PATH', ...) removed

docs/TODO.SECURITY.md updated: items 13-16 marked resolved and
moved to the ✅ Resolved section.

2026-02-08 13:54:02 +01:00

1.1 KiB

Raw Blame History

Security Headers — nginx/posterg.conf

Headers in use

Header	Value	Purpose
`X-Frame-Options`	`SAMEORIGIN`	Prevent clickjacking
`X-Content-Type-Options`	`nosniff`	Prevent MIME-type sniffing
`Referrer-Policy`	`strict-origin-when-cross-origin`	Limit referrer leakage
`Permissions-Policy`	`geolocation=(), microphone=(), camera=()`	Disable unused browser APIs

Intentionally omitted headers

`X-XSS-Protection`

This header was removed (was "1; mode=block").

Why: X-XSS-Protection is deprecated and removed from all modern browsers (Chrome 78+, Firefox never implemented it, Edge dropped it). Worse, the mode=block behaviour can be actively exploited to expose response bodies that would otherwise be blocked. Sending it provides no protection and may introduce risk.

Correct mitigation: a proper Content-Security-Policy header (todo item #11).

Pending headers

Header	Status
`Content-Security-Policy`	⏳ todo item #11

1.1 KiB Raw Blame History