You are here

Home » API reference » Security Kit 6 » seckit.module

function _seckit_get_options in Security Kit 6

Same name and namespace in other branches
  1. 7 seckit.module \_seckit_get_options()

Sets default options.

8 calls to _seckit_get_options()
seckit_admin_form in includes/seckit.form.inc
Forms administration page.
seckit_init in ./seckit.module
Implements hook_init().
_seckit_csp in ./seckit.module
Sends Content Security Policy HTTP headers.
_seckit_from_origin in ./seckit.module
Sends From-Origin HTTP response header.
_seckit_get_js_css_noscript_code in ./seckit.module
Gets JavaScript and CSS code.

... See full list

File

./seckit.module, line 533
Allows administrators to improve security of the website.

Code

function _seckit_get_options() {
  static $result;
  if ($result) {
    return $result;
  }

  // set default options
  $default['seckit_xss']['csp'] = array(
    'report-only' => 0,
    'script-src' => '',
    'object-src' => '',
    'img-src' => '',
    'media-src' => '',
    'style-src' => '',
    'frame-src' => '',
    'font-src' => '',
    'connect-src' => '',
    'policy-uri' => '',
  );
  $default['seckit_csrf'] = array(
    'origin' => 1,
    'origin_whitelist' => '',
  );
  $default['seckit_clickjacking'] = array(
    'js_css_noscript' => 0,
    'x_frame_allow_from' => '',
  );
  $default['seckit_ssl'] = array(
    'hsts' => 0,
    'hsts_subdomains' => 0,
  );
  $default['seckit_various'] = array(
    'from_origin' => 0,
  );

  // get variables
  $result['seckit_xss'] = variable_get('seckit_xss', $default['seckit_xss']);
  $result['seckit_csrf'] = variable_get('seckit_csrf', $default['seckit_csrf']);
  $result['seckit_clickjacking'] = variable_get('seckit_clickjacking', $default['seckit_clickjacking']);
  $result['seckit_ssl'] = variable_get('seckit_ssl', $default['seckit_ssl']);
  $result['seckit_various'] = variable_get('seckit_various', $default['seckit_various']);

  // enable Content Security Policy (CSP)
  if (!isset($result['seckit_xss']['csp']['checkbox'])) {
    $result['seckit_xss']['csp']['checkbox'] = 0;
  }

  // set CSP allow directive to self
  if (!isset($result['seckit_xss']['csp']['default-src']) || !$result['seckit_xss']['csp']['default-src']) {
    $result['seckit_xss']['csp']['default-src'] = "'self'";
  }

  // set CSP report-uri directive to menu callback
  if (!isset($result['seckit_xss']['csp']['report-uri']) || !$result['seckit_xss']['csp']['report-uri']) {
    $result['seckit_xss']['csp']['report-uri'] = 'admin/settings/seckit/csp-report';
  }

  // set X-XSS-Protection header to disabled (browser default)
  if (!isset($result['seckit_xss']['x_xss']['select'])) {
    $result['seckit_xss']['x_xss']['select'] = SECKIT_X_XSS_DISABLE;
  }

  // enable X-Content-Type-Options
  if (!isset($result['seckit_xss']['x_content_type']['checkbox'])) {
    $result['seckit_xss']['x_content_type']['checkbox'] = 1;
  }

  // enable Origin-based protection
  if (!isset($result['seckit_csrf']['origin'])) {
    $result['seckit_csrf']['origin'] = 1;
  }

  // set X-Frame-Options header to SameOrigin
  if (!isset($result['seckit_clickjacking']['x_frame'])) {
    $result['seckit_clickjacking']['x_frame'] = SECKIT_X_FRAME_SAMEORIGIN;
  }

  // set Custom text for disabled JavaScript message
  if (!isset($result['seckit_clickjacking']['noscript_message'])) {
    $result['seckit_clickjacking']['noscript_message'] = t('Sorry, you need to enable JavaScript to visit this website.');
  }

  // set HSTS max-age to 1000
  if (!isset($result['seckit_ssl']['hsts_max_age'])) {
    $result['seckit_ssl']['hsts_max_age'] = 1000;
  }

  // set From-Origin to same
  if (!isset($result['seckit_various']['from_origin_destination'])) {
    $result['seckit_various']['from_origin_destination'] = 'same';
  }
  return $result;
}