Feature/security headers

README.md

@@ -42,6 +42,7 @@ If necessary, you may install it manually by downloading a Zip archive from [Git
     - REST API links
     - Oembed links
     - Windows Live Writer manifest links
+- Set sensible security headers
 
 ### Capabilities
 
@@ -95,6 +96,7 @@ The following filters can be used to override the default behavior of certain fe
 -   `orbit_enable_rest_api_user_endpoints`: Enable or disable REST API user endpoints. Default `false` (disabled).
 -   `orbit_enable_xmlrpc`: Enable or disable XML-RPC functionality. Default `false` (disabled).
 -   `orbit_enable_expose_wordpress_version`: Show or hide the WordPress version in the site's frontend markup. Default `false` (hidden).
+-   `orbit_default_security_headers`: Set an array of security headers.
 
 ### Capabilities
 

includes/classes/Security/Headers.php

@@ -0,0 +1,69 @@
+<?php
+/**
+ * Amend security headers
+ *
+ * @package Orbit
+ */
+
+namespace Eighteen73\Orbit\Security;
+
+use Eighteen73\Orbit\Singleton;
+
+/**
+ * Completely disable XML-RPC
+ */
+class Headers {
+	use Singleton;
+
+	/**
+	 * Setup module
+	 */
+	public function setup() {
+		add_action( 'wp_headers', [ $this, 'set_security_headers' ], 99, 1 );
+	}
+
+	/**
+	 * Set security headers
+	 *
+	 * @param array $headers Headers
+	 * @return array
+	 */
+	public function set_security_headers( $headers ) {
+
+		$default_security_headers = [
+			// Cross-origin hardening
+			'Cross-Origin-Opener-Policy'   => 'same-origin',
+			'Cross-Origin-Resource-Policy' => 'same-origin',
+
+			// Sensible privacy default
+			'Referrer-Policy' => 'strict-origin-when-cross-origin',
+
+			// Stops MIME sniffing
+			'X-Content-Type-Options' => 'nosniff',
+
+			// Prevent clickjacking inside iframes (legacy)
+			'X-Frame-Options' => 'SAMEORIGIN',
+		];
+
+		$default_csp = [
+			'upgrade-insecure-requests',
+			"default-src 'self'",
+		];
+		$default_security_headers['Content-Security-Policy'] = trim( implode( '; ', $default_csp ) );
+
+		// Only if SSL
+		if ( is_ssl() ) {
+			$default_security_headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains';
+		}
+
+		$security_headers = apply_filters( 'orbit_default_security_headers', $default_security_headers );
+
+		foreach ( $security_headers as $header => $value ) {
+			if ( ! empty( $value ) ) {
+				$headers[ $header ] = $value;
+			}
+		}
+
+		return $headers;
+	}
+}

orbit.php

@@ -42,6 +42,7 @@ function () {
 		Capabilities\Editor::instance()->setup();
 		Security\DisableAPI::instance()->setup();
 		Security\DisableXMLRPC::instance()->setup();
+		Security\Headers::instance()->setup();
 		Security\HideAuthor::instance()->setup();
 		Security\HideVersion::instance()->setup();
 		Security\RemoveHeadLinks::instance()->setup();