The EuroCMS Core header component
This allows you to manage headers sent per HTTP_HOST.
Only owner(admins) are allowed to use this module. You can
Header validation?
It has happened before that an exploitation had succeeded via header?
Create regex?
- HTST: ^Strict-Transport-Security: (max-age=[0-9]*;) (includeSubDomains;) (preload)
https://flaviocopes.com/http-request-headers/
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
Example of response headers
GET /path/to/page/ HTTP/2
Host: owasp.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.google.com/
Connection: keep-alive
Cookie: banner-seen=true
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
TE: trailers
db structure
| header_id | domain_id | user_id | group_id | name | short_description | values |
|---|---|---|---|---|---|---|
| HTTP Strict Transport Security | ||||||
| X-Frame-Options | ||||||
| X-Content-Type-Options | ||||||
| Content-Security-Policy | ||||||
| X-Permitted-Cross-Domain-Policies | ||||||
| Referrer-Policy | ||||||
| Clear-Site-Data | ||||||
| Cross-Origin-Embedder-Policy | ||||||
| Cross-Origin-Opener-Policy | ||||||
| Cross-Origin-Resource-Policy | ||||||
| Cache-Control | ||||||
Permissions
There are a list of permission you can add to this user.
| name | description |
|---|---|
| header_add | The ability to add headers per domain |
| header_remove | The ability to remove headers per domain |
| header_modify | The ability to modify headers per domain |
db structure
| header_id | domain_id | user_id | group_id | name | values | description | user_lock | status |
|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | Content-Security-Policy | default-src 'self'; img-src 'self' https: https://i.imgur.com; object-src 'none' | Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from | enabled | ||
| 2 | 1 | 1 | Strict-Transport-Security | max-age={number},includeSubDomains | HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP | enabled |
values in json example
{
"values":{
"max-age=":{
"input":"number",
"description":"The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS."
},
"includeSubDomains":"If this optional parameter is specified, this rule applies to all of the site’s subdomains as well."
}
}
Full Example json structure
{
"Strict-Transport-Security":{
"description":"Declare that a website is only accessible over a secure connection (HTTPS).",
"values":{
"max-age=":{
"input":"number",
"description":"The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS."
},
"includeSubDomains":"If this optional parameter is specified, this rule applies to all of the site’s subdomains as well."
}
},
"X-Frame-Options":{
"description":"An HTTP header which indicates whether the browser should allow the webpage to be displayed in a frame within another webpage. Used as a defense against clickjacking attacks.",
"values":{
"deny":{
"type":"text",
"description":"No rendering within a frame."
},
"sameorigin":{
"type":"text",
"description":"No rendering if origin mismatch."
}
}
},
"X-Content-Type-Options":{
"description":"Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css).",
"values":{
"nosniff":{
"type":"text",
"description":"Will prevent the browser from MIME-sniffing a response away from the declared content-type."
}
}
}
}