Add security headers
Fixes #210
What does this MR do?
We should have a content security policy and some other headers! It helps with XSS and other things, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
How confident are you it won't break things if deployed?
Should be ok!
Won't do anything without the following added to a config file:
define('CSP_REPORT_URI', 'https://sentry.io/api/1373217/security/?sentry_key=2837c8a58de54ba78780b06bceb9c66a');(this is a nice endpoint to report violations to sentry - see the foodsharing-csp project in sentry)
After some time making sure there are no more reports, can also then add:
define('CSP_REPORT_ONLY', false);This will then actually block violating requests.
Links to related issues
Checklist
-
added a test, or explain why one is not needed/possible... erm... could have added one ... sorry -
no unrelated changes -
asked someone for a code review -
joined #foodsharing-beta channel at https://slackin.yunity.org -
added an entry to CHANGELOG.md (description, merge request link, username(s))
Edited by Chris Oelmueller