Merge pull request #2107 from OnlineDynamic/accessibilityandsecurityd…

…ec24 Accessibility and security update's
FalconChristmas · Jan 7, 2025 · 35c0bc9 · 35c0bc9
2 parents 77d78f8 + a8fe3f7
commit 35c0bc9
Show file tree

Hide file tree

Showing 189 changed files with 7,293 additions and 25,489 deletions.
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -12,6 +12,7 @@
         "numso.prettier-standard-vscode",
         "devsense.phptools-vscode",
         "xdebug.php-debug",
-        "glenn2223.live-sass"
+        "glenn2223.live-sass",
+        "josee9988.minifyall"
     ]
 }
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -165,5 +165,15 @@
 		"/**/node_modules/**",
 		"/.vscode/**",
 		"/**/bootstrap-scss-src/**"
-	]
-}
+	],
+	"MinifyAll.PrefixOfNewMinifiedFiles": ".min",
+	"MinifyAll.terserMinifyOptions": {
+		"mangle": true,
+		"compress": {
+			"drop_console": true,
+			"dead_code": false,
+			"keep_fnames": false,
+			"keep_classnames": false
+		}
+	}
+}
diff --git a/SD/FPP_Install.sh b/SD/FPP_Install.sh
@@ -1310,6 +1310,7 @@ a2enmod mpm_event
 a2enmod http2
 a2enmod cgi
 a2enmod rewrite
+a2ermod expires
 a2enmod proxy
 a2enmod proxy_http
 a2enmod proxy_http2

diff --git a/SD/FPP_Install_Mac.sh b/SD/FPP_Install_Mac.sh
@@ -129,6 +129,7 @@ sed -i -e "s+#LoadModule proxy+LoadModule proxy+g" $HTTPCONF
 sed -i -e "s+LoadModule proxy_balanc+#LoadModule proxy_balanc+g" $HTTPCONF
 sed -i -e "s+LoadModule proxy_http2_+#LoadModule proxy_http2_+g" $HTTPCONF
 sed -i -e "s+#LoadModule rewrite+LoadModule rewrite+g" $HTTPCONF
+sed -i -e "s+#LoadModule expires+LoadModule expires+g" $HTTPCONF
 sed -i -e "s+#LoadModule watchdog+LoadModule watchdog+g" $HTTPCONF
 sed -i -e "s+#LoadModule mpm_event+LoadModule mpm_event+g" $HTTPCONF
 sed -i -e "s+LoadModule mpm_prefork+#LoadModule mpm_prefork+g" $HTTPCONF

diff --git a/etc/apache2.site b/etc/apache2.site
@@ -1,3 +1,10 @@
+# Prevent Apache from sending in the `Server` response header its
+# exact version number, the description of the generic OS-type or
+# information about its compiled-in modules.
+#
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
+ServerTokens Prod
+
 <VirtualHost *:80>
 	ServerAdmin webmaster@localhost
 
@@ -66,3 +73,238 @@
     </Proxy>
 </IfModule>
 </IfModule>
+
+
+# MIME types SETTINGS
+# Serve resources with the proper media types (f.k.a. MIME types).
+# https://www.iana.org/assignments/media-types/media-types.xhtml
+
+<IfModule mod_mime.c>
+
+  # Data interchange
+
+    # 2.2.x+
+
+    AddType text/xml                                    xml
+
+    # 2.2.x - 2.4.x
+
+    AddType application/json                            json
+    AddType application/rss+xml                         rss
+
+    # 2.4.x+
+
+    AddType application/json                            map
+
+  # JavaScript
+
+    # 2.2.x+
+
+    # See: https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages.
+    AddType text/javascript                             js mjs
+
+
+  # Manifest files
+
+    # 2.2.x+
+
+    AddType application/manifest+json                   webmanifest
+    AddType text/cache-manifest                         appcache
+
+
+  # Media files
+
+    # 2.2.x - 2.4.x
+
+    AddType audio/mp4                                   f4a f4b m4a
+    AddType audio/ogg                                   oga ogg spx
+    AddType video/mp4                                   mp4 mp4v mpg4
+    AddType video/ogg                                   ogv
+    AddType video/webm                                  webm
+    AddType video/x-flv                                 flv
+	AddType image/png									png
+
+
+    # 2.2.x+
+
+    AddType image/svg+xml                               svgz svg
+    AddType image/x-icon                                cur
+
+    # 2.4.x+
+
+    AddType image/webp                                  webp
+
+
+  # Web fonts
+
+    # 2.2.x - 2.4.x
+
+    AddType application/vnd.ms-fontobject               eot
+
+    # 2.2.x+
+
+    AddType font/woff                                   woff
+    AddType font/woff2                                  woff2
+    AddType font/ttf                                    ttf
+    AddType font/collection                             ttc
+    AddType font/otf                                    otf
+
+
+  # Other
+
+    # 2.2.x+
+
+    AddType text/vtt                                    vtt
+
+</IfModule>
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Serve all resources labeled as `text/html` or `text/plain`
+# with the media type `charset` parameter set to `utf-8`.
+#
+# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
+
+AddDefaultCharset utf-8
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Serve the following file types with the media type `charset`
+# parameter set to `utf-8`.
+#
+# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
+
+<IfModule mod_mime.c>
+    AddCharset utf-8 .appcache \
+                     .atom \
+                     .css \
+                     .js \
+                     .json \
+                     .manifest \
+                     .map \
+                     .mjs \
+                     .rdf \
+                     .rss \
+					 .svg \
+                     .vtt \
+                     .webmanifest \
+                     .xml
+</IfModule>
+
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options "nosniff"
+	header always set X-XSS-Protection "1; mode=block"
+	Header always set Content-Security-Policy "img-src 'self' data: blob:"
+	Header unset Expires
+    Header unset Host
+    Header unset P3P
+    Header unset Pragma
+    Header unset Public-Key-Pins
+    Header unset Public-Key-Pins-Report-Only
+    Header unset Via
+    Header unset X-AspNet-Version
+    Header unset X-AspNetMvc-version
+    Header unset X-Frame-Options
+    Header unset X-Powered-By
+    Header unset X-Runtime
+    Header unset X-Version
+
+# remove unneeded headers
+	<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
+        Header unset X-UA-Compatible
+        Header unset X-XSS-Protection
+    </FilesMatch>
+
+    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|png|rdf|rss|safariextz|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
+        Header unset Content-Security-Policy
+        Header unset X-Content-Security-Policy
+        Header unset X-WebKit-CSP
+    </FilesMatch>
+
+</IfModule>
+
+# CACHE CONTROL SETTINGS
+<IfModule mod_expires.c>
+
+  # Automatically add the `Cache-Control` header (as well as the
+  # equivalent `Expires` header).
+
+    ExpiresActive on
+
+  # By default, inform user agents to cache all resources for 1 year.
+
+    ExpiresDefault                                   "access plus 1 year"
+
+
+  # Overwrite the previous for file types whose content usually changes
+  # very often, and thus, should not be cached for such a long period,
+  # or at all.
+
+    # AppCache manifest files
+
+        ExpiresByType text/cache-manifest            "access plus 0 seconds"
+
+
+    # /favicon.ico (cannot be renamed!)
+
+        # [!] If you have access to the main Apache configuration
+        #     file, you can match the root favicon exactly using the
+        #     `<Location>` directive. The same cannot be done inside
+        #     of a `.htaccess` file where only the `<Files>` directive
+        #     can be used, reason why the best that can be done is match
+        #     all files named `favicon.ico` (but that should work fine
+        #     if filename/path-based revving is used)
+        #
+        # See also: https://httpd.apache.org/docs/current/sections.html#file-and-web.
+
+        <Files "favicon.ico">
+            ExpiresByType image/x-icon               "access plus 1 hour"
+        </Files>
+
+
+    # Data interchange
+
+        ExpiresByType application/atom+xml           "access plus 1 hour"
+        ExpiresByType application/rdf+xml            "access plus 1 hour"
+        ExpiresByType application/rss+xml            "access plus 1 hour"
+
+        ExpiresByType application/json               "access plus 0 seconds"
+        ExpiresByType application/ld+json            "access plus 0 seconds"
+        ExpiresByType application/schema+json        "access plus 0 seconds"
+        ExpiresByType application/vnd.geo+json       "access plus 0 seconds"
+        ExpiresByType text/xml                       "access plus 0 seconds"
+
+
+    # HTML
+
+        ExpiresByType text/html                      "access plus 0 seconds"
+
+	# Images
+
+		ExpiresByType image/png                      "access plus 1 year"
+		ExpiresByType image/svg+xml				     "access plus 1 year"
+
+
+    # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+    # Where needed add `immutable` value to the `Cache-Control` header
+
+    <IfModule mod_headers.c>
+
+        # Because `mod_headers` cannot match based on the content-type,
+        # the following workaround needs to be done.
+
+        # 1) Add the `immutable` value to the `Cache-Control` header
+        #    to all resources.
+
+        Header merge Cache-Control immutable
+
+        # 2) Remove the value for all resources that shouldn't be have it.
+
+        <FilesMatch "\.(appcache|cur|geojson|json(ld)?|x?html?|topojson|xml)$">
+            Header edit Cache-Control immutable ""
+        </FilesMatch>
+
+    </IfModule>
+
+</IfModule>
diff --git a/upgrade/92/upgrade.sh b/upgrade/92/upgrade.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+#####################################
+
+BINDIR=$(cd $(dirname $0) && pwd)
+. ${BINDIR}/../../scripts/common
+
+#enable mod expires
+a2enmod expires
+#copy across new apache conf
+cat /opt/fpp/etc/apache2.site >/etc/apache2/sites-enabled/000-default.conf
+#restart apache
+sudo service apache2 restart
diff --git a/www/404.php b/www/404.php
@@ -1,18 +1,22 @@
 <!DOCTYPE html>
 <html lang="en">
+
 <head>
-<?php require_once('common.php'); ?>
-<?php include 'common/menuHead.inc'; ?>
-<title><? echo $pageTitle; ?></title>
+  <?php include 'common/htmlMeta.inc';
+  require_once('common.php');
+  include 'common/menuHead.inc'; ?>
+  <title><? echo $pageTitle; ?></title>
 </head>
+
 <body>
-<div id="bodyWrapper">
-  <?php include 'menu.inc'; ?>
-  <br/>
+  <div id="bodyWrapper">
+    <?php include 'menu.inc'; ?>
+    <br />
 
-  <div id='rebootFlag' style='display:block;'>404 - PAGE NOT FOUND</div>
+    <div id='rebootFlag' style='display:block;'>404 - PAGE NOT FOUND</div>
 
-<?php	include 'common/footer.inc'; ?>
-</div>
+    <?php include 'common/footer.inc'; ?>
+  </div>
 </body>
-</html>
+
+</html>
diff --git a/www/about.php b/www/about.php
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html lang="en">
 <?php
+include 'common/htmlMeta.inc';
 require_once 'common.php';
 require_once 'config.php';
 
@@ -929,4 +930,4 @@ class='nonULLink'><? echo getFileCount($folder); ?></a></td>
     </div>
 </body>
 
-</html>
+</html>