✨ added feature policy with defaults

🔧 X-Frame-Options = DENY, strict-transport-security += preload Signed-off-by: Bruno Meilick <b@bnomei.com>
bnomei · Feb 16, 2020 · caa74e4 · caa74e4
1 parent 6fe7e84
commit caa74e4
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/classes/SecurityHeaders.php b/classes/SecurityHeaders.php
@@ -171,6 +171,7 @@ public function sendHeaders(): bool
         // from config
         $headers = $this->option('headers');
         foreach ($headers as $key => $value) {
+            $value = is_array($value) ? implode('; ', $value) : $value;
             header($key . ': ' . $value);
         }
 

diff --git a/composer.json b/composer.json
@@ -1,7 +1,7 @@
 {
   "name": "bnomei/kirby3-security-headers",
   "type": "kirby-plugin",
-  "version": "2.2.5",
+  "version": "2.3.0",
   "license": "MIT",
   "description": "Kirby 3 Plugin for easier Security Headers setup",
   "authors": [

diff --git a/index.php b/index.php
@@ -15,6 +15,36 @@
             "X-Content-Type-Options" => "nosniff",
             "strict-transport-security" => "max-age=31536000; includeSubdomains; preload",
             "Referrer-Policy" => "no-referrer-when-downgrade",
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+            "Feature-Policy" => [
+                "accelerometer 'none'",
+                "ambient-light-sensor 'none'",
+                "autoplay 'none'",
+                "battery 'none'",
+                "camera 'none'",
+                "display-capture 'none'",
+                "document-domain 'none'",
+                "encrypted-media 'none'",
+                "execution-while-not-rendered 'none'",
+                "execution-while-out-of-viewport 'none'",
+                "fullscreen 'none'",
+                "geolocation 'none'",
+                "gyroscope 'none'",
+                "layout-animations 'none'",
+                "legacy-image-formats 'none'",
+                "magnetometer 'none'",
+                "microphone 'none'",
+                "midi 'none'",
+                "navigation-override 'none'",
+                "oversized-images 'none'",
+                "payment 'none'",
+                "picture-in-picture 'none'",
+                "publickey-credentials 'none'",
+                "sync-xhr 'none'",
+                "usb 'none'",
+                "wake-lock 'none'",
+                "xr-spatial-tracking 'none'",
+            ],
         ],
         'loader' => function () {
             // https://github.com/paragonie/csp-builder#example