Feature part of https://issues.ibexa.co/browse/EZP-32043 (which will be closed when doc is merged).

Feature: A kernel response listener that reads header configuration from yaml, and applies it to the response. Any header could be set, not just security, so this is not a security feature per se and should not be named as one. The setting should be siteaccess aware. Further variability might also be useful. Ref. engineering demo June 10th.

Why in PHP: These headers can be set in the web server or a proxy in the kernel. But setting them in php code gives certain benefits.

• Easy to provide some security headers by default, regardless of installation details.
• The headers work the same regardless of web server, proxy, or Cloud provider. They even work the same with PHP's built-in web server, which is good for testing.
• Easier to maintain than if we had separate configs for Apache, Nginx, Varnish, pSH, etc.
• Easier to extend with more complex rules, if desired.

YAML format details

The attached screenshot shows name and directives as string entries. We may want to also support directive-list, as an array of strings. If we do this, we also need a separator entry to specificy whether strings should be concatenated by comma, semi-colon or something else, as this is not standardised.

For headers like Content-Security-Policy that can have a report-uri parameter referring to a server interface receiving the reports, it can make sense to have a separate config entry for this URL, as it may be repeated for several headers. Then we need a way to specify if and where this uri should be inserted into the directives.

Resources

Good up-to-date info about security headers: https://owasp.org/www-project-secure-headers/