Qt Metrics 2 (v0.4): Security improvements

Added applicable security headers to protect the site against
typical attacts (checked e.g. with http://cyh.herokuapp.com/cyh).
Moved inline JavaScript code to separate file (because of
applying the CSP).
Moved jQuery and Bootstrap to local lib directories instead
of using CDNs (to get simple and strict CSP rules).

Change-Id: If08f7ccf6a53923405a1305c76ff2da7c21b094b
Reviewed-by: Lukas Reschke <lukas@owncloud.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
Reviewed-by: Tony Sarajärvi <tony.sarajarvi@theqtcompany.com>

1 files changed, 14 insertions, 2 deletions

diff --git a/non-puppet/qtmetrics2/.htaccess b/non-puppet/qtmetrics2/.htaccess
index 93af3b1..095fd43 100644
--- a/non-puppet/qtmetrics2/.htaccess
+++ b/non-puppet/qtmetrics2/.htaccess
@@ -32,13 +32,25 @@
 #############################################################################
 
 # Qt Metrics configuration
-# @version   0.1
-# @since     13-05-2015
+# @version   0.2
+# @since     17-06-2015
 # @author    Juha Sippola
 
 # Turn on the rewriting engine
 RewriteEngine On
 
+# Set security headers
+<IfModule mod_headers.c>
+    # Apply Content Security Policy
+    Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src *"
+    # Provide protection against MIME type confusion attacks
+    Header set X-Content-Type-Options "nosniff"
+    # Provide protection against clickjacking
+    Header set X-Frame-Options "SAMEORIGIN"
+    # Provide protection against Cross-Site Scripting
+    Header set X-XSS-Protection "1; mode=block"
+</IfModule>
+
 # If the requested file does not exist, show link to index.php
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^ index.php [QSA,L]