diff options
author | Justin Velluppillai <justin@innocraft.com> | 2021-08-12 15:35:13 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-12 15:35:13 +0300 |
commit | ca8e320ff9011d7146b7200c8c41bb0e39a4a846 (patch) | |
tree | 81859e42f3a0c91e32846d7f854017e4b6ceb39c /config | |
parent | 9873cb71e66be0f80839c76e923c3b866dd23b46 (diff) |
Set CSP header to prevent XSS (#17798)
* Set CSP header to prevent XSS
* Add config setting to disable CSP or enable report-only mode
* Modify settings and remove deprecated report-uri
* Adding tests
* Added tests for different settings
* Prefer DI
Co-authored-by: Stefan Giehl <stefan@matomo.org>
* SecurityPolicy objects now constructed with Config parameter
* Updates expected UI test file
Co-authored-by: Stefan Giehl <stefan@matomo.org>
Diffstat (limited to 'config')
-rwxr-xr-x | config/global.ini.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/config/global.ini.php b/config/global.ini.php index 27022bd64e..0f1e6dde49 100755 --- a/config/global.ini.php +++ b/config/global.ini.php @@ -437,6 +437,13 @@ password_hash_argon2_time_cost = default ; it is recommended for security reasons to always use Matomo over https force_ssl = 0 +; If set to 1, Matomo will send a Content-Security-Policy header +csp_enabled = 1 + +; If set, and csp_enabled is on, Matomo will send a report-uri in the Content-Security-Policy-Report-Only header +; instead of a Content-Security-Policy header. +csp_report_only = 1 + ; If set to 1 Matomo will prefer using SERVER_NAME variable over HTTP_HOST. ; This can add an additional layer of security as SERVER_NAME can not be manipulated by sending custom host headers when configure correctly. host_validation_use_server_name = 0 |