initial commit

Author: ashvisualtheme

LICENSE.md

@@ -0,0 +1,93 @@
+# Security Headers Plugin for OJS
+
+This plugin enhances the security of your OJS installation by adding a comprehensive set of modern HTTP security headers. It operates with "**default with override**" logic, providing robust security out-of-the-box while allowing customization for specific needs.
+This plugin is developed and maintained by Ashvisual Theme. <a href="https://demo-ojs.ashvisual.com" target="_blank">See our professional OJS themes in action on our live demo</a>.
+
+## Key Features
+
+- 🛡️ **Adds Modern Security Headers:** Implements best practices to protect your site from common attacks like clickjacking, XSS, and MIME-sniffing.
+- ⚙️ **Secure Defaults:** Comes with recommended default values for all headers, so you don't need to configure anything unless required.
+- ✍️ **Flexible Customization:** Allows administrators to override the value of each header for the entire site or for individual journals.
+- 🗑️ **Removes `X-Powered-By` Header:** Hides server technology information to reduce the informational footprint.
+
+### Managed Headers
+
+This plugin manages the following headers:
+
+- `X-Frame-Options`
+- `X-Content-Type-Options`
+- `X-XSS-Protection` (Included for compatibility, though deprecated)
+- `Content-Security-Policy`
+- `Cross-Origin-Embedder-Policy`
+- `Cross-Origin-Opener-Policy`
+- `Cross-Origin-Resource-Policy`
+- `Permissions-Policy`
+- `Referrer-Policy`
+- `Strict-Transport-Security`
+
+---
+
+## Requirements
+
+- **OJS version:** 3.3.x and above.
+
+---
+
+## Installation
+
+1.  Download the latest release from the plugin's release page.
+2.  Log in to your OJS dashboard as an Administrator.
+3.  Navigate to **Website Settings > Plugins > Upload a New Plugin**.
+4.  Upload the `.tar.gz` file you downloaded.
+5.  Once installation is complete, enable the plugin from the **Installed Plugins** tab.
+
+---
+
+## Configuration
+
+You can configure custom header values for your site or for a specific journal.
+
+1.  Navigate to **Website Settings > Plugins**.
+2.  Find the **Security Headers by AshVisual Theme** plugin and click the **Settings** button.
+3.  A modal window will appear with all configurable headers. The fields will be pre-filled with the secure default values.
+4.  To change a header, edit its value in the corresponding field.
+5.  To **disable** a specific header, clear its field so it is empty and then save. The other headers will remain active with their default or custom values.
+6.  Click **Save**.
+
+---
+
+## Verifying the Headers
+
+After configuring the plugin, you can verify that the security headers are being applied correctly using a free online tool.
+
+1.  Go to a site like [**securityheaders.com**](https://securityheaders.com).
+2.  Enter the URL of your journal (e.g., `https://myjournal.com`).
+3.  Initiate the scan.
+4.  The results will show you which HTTP security headers are active on your site. You should see the headers enabled by this plugin listed in the report.
+
+This will help you confirm that your configuration is working as expected.
+
+---
+
+### Default Values
+
+If a header's value is not customized (or the settings have never been saved), the plugin applies the following secure default values:
+
+| Header                       | Default Value                                                                                                          |
+| :--------------------------- | :--------------------------------------------------------------------------------------------------------------------- |
+| X-Frame-Options              | `SAMEORIGIN`                                                                                                           |
+| X-Content-Type-Options       | `nosniff`                                                                                                              |
+| X-XSS-Protection             | `1; mode=block`                                                                                                        |
+| Content-Security-Policy      | `upgrade-insecure-requests;`                                                                                           |
+| Cross-Origin-Embedder-Policy | `same-origin; report-to='default'`                                                                                     |
+| Cross-Origin-Opener-Policy   | `require-corp`                                                                                                         |
+| Cross-Origin-Resource-Policy | `same-origin`                                                                                                          |
+| Permissions-Policy           | `accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=(), fullscreen=(self)` |
+| Referrer-Policy              | `strict-origin-when-cross-origin`                                                                                      |
+| Strict-Transport-Security    | `max-age=63072000; includeSubDomains; preload`                                                                         |
+
+---
+
+## License
+
+This plugin is released under the GNU General Public License v3. See the `LICENSE.md` or `docs/COPYING` file for full terms.

README.md

@@ -0,0 +1,165 @@
+<?php
+
+/**
+ * @file plugins/generic/ashSecurityHeaders/SecurityHeadersPlugin.inc.php
+ *
+ * Copyright (c) 2021-2025 AshVisualTheme
+ * Copyright (c) 2014-2025 Simon Fraser University
+ * Copyright (c) 2003-2025 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ * @class SecurityHeadersPlugin
+ * @brief Main class for the Security Headers plugin.
+ */
+
+import('lib.pkp.classes.core.PKPApplication');
+import('lib.pkp.classes.core.JSONMessage');
+import('lib.pkp.classes.linkAction.LinkAction');
+import('lib.pkp.classes.linkAction.request.AjaxModal');
+import('lib.pkp.classes.plugins.GenericPlugin');
+import('lib.pkp.classes.plugins.HookRegistry');
+
+import('plugins.generic.ashSecurityHeaders.SecurityHeadersSettingsForm');
+
+class SecurityHeadersPlugin extends GenericPlugin
+{
+    public function register($category, $path, $mainContextId = null)
+    {
+        $success = parent::register($category, $path, $mainContextId);
+        if ($success && $this->getEnabled()) {
+            HookRegistry::register('Dispatcher::dispatch', [$this, 'addSecurityHeaders']);
+        }
+        return $success;
+    }
+
+    public function getDisplayName()
+    {
+        return __('plugins.generic.ashSecurityHeaders.displayName');
+    }
+
+    public function getDescription()
+    {
+        return __('plugins.generic.ashSecurityHeaders.description');
+    }
+
+    public function isSitePlugin()
+    {
+        if (!$this->getRequest()->getContext()) {
+            return true;
+        }
+        return false;
+    }
+
+    public function getActions($request, $actionArgs)
+    {
+        $actions = parent::getActions($request, $actionArgs);
+        if (!$this->getEnabled()) {
+            return $actions;
+        }
+
+        $router = $request->getRouter();
+        $linkAction = new LinkAction(
+            'settings',
+            new AjaxModal(
+                $router->url(
+                    $request,
+                    null,
+                    null,
+                    'manage',
+                    null,
+                    ['verb' => 'settings', 'plugin' => $this->getName(), 'category' => 'generic']
+                ),
+                $this->getDisplayName()
+            ),
+            __('manager.plugins.settings'),
+            null
+        );
+        array_unshift($actions, $linkAction);
+        return $actions;
+    }
+
+    public function manage($args, $request)
+    {
+        switch ($request->getUserVar('verb')) {
+            case 'settings':
+                $form = new SecurityHeadersSettingsForm($this);
+
+                if (!$request->getUserVar('save')) {
+                    $form->initData();
+                    return new JSONMessage(true, $form->fetch($request));
+                }
+
+                $form->readInputData();
+                if ($form->validate()) {
+                    $form->execute();
+                    return new JSONMessage(true);
+                }
+        }
+        return parent::manage($args, $request);
+    }
+
+    public function getDefaultHeaders()
+    {
+        return [
+            'X-Frame-Options' => 'SAMEORIGIN',
+            'X-Content-Type-Options' => 'nosniff',
+            'X-XSS-Protection' => '1; mode=block',
+            'Content-Security-Policy' => "upgrade-insecure-requests;",
+            'Cross-Origin-Embedder-Policy' => "same-origin; report-to='default'",
+            'Cross-Origin-Opener-Policy' => 'require-corp',
+            'Cross-Origin-Resource-Policy' => 'same-origin',
+            'Permissions-Policy' => "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=(), fullscreen=(self)",
+            'Referrer-Policy' => 'strict-origin-when-cross-origin',
+            'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload',
+        ];
+    }
+
+    public function addSecurityHeaders($hookName, $params)
+    {
+
+        if (defined('SESSION_DISABLE_INIT') || php_sapi_name() === 'cli' || headers_sent()) {
+            return false;
+        }
+
+        $defaultHeaders = $this->getDefaultHeaders();
+        $request = PKPApplication::get()->getRequest();
+        $context = $request->getContext();
+        $contextId = $context ? $context->getId() : CONTEXT_SITE;
+
+        $settingMap = [
+            'X-Frame-Options' => 'headerXfo',
+            'X-Content-Type-Options' => 'headerXcto',
+            'X-XSS-Protection' => 'headerXxss',
+            'Content-Security-Policy' => 'headerCsp',
+            'Cross-Origin-Embedder-Policy' => 'headerCoep',
+            'Cross-Origin-Opener-Policy' => 'headerCoop',
+            'Cross-Origin-Resource-Policy' => 'headerCorp',
+            'Permissions-Policy' => 'headerPp',
+            'Referrer-Policy' => 'headerRp',
+            'Strict-Transport-Security' => 'headerHsts',
+        ];
+
+        $finalHeaders = [];
+        foreach ($settingMap as $headerName => $settingKey) {
+            $savedValue = $this->getSetting($contextId, $settingKey);
+
+            if ($savedValue === null) {
+                if (isset($defaultHeaders[$headerName])) {
+                    $finalHeaders[$headerName] = $defaultHeaders[$headerName];
+                }
+            } elseif ($savedValue !== '') {
+                $finalHeaders[$headerName] = $savedValue;
+            }
+        }
+
+        header_remove('X-Powered-By');
+
+        if (!empty($finalHeaders)) {
+            foreach ($finalHeaders as $name => $value) {
+                header("{$name}: {$value}");
+            }
+        }
+
+        return false;
+    }
+}

SecurityHeadersPlugin.inc.php

@@ -0,0 +1,118 @@
+<?php
+
+/**
+ * @file plugins/generic/ashSecurityHeaders/SecurityHeadersSettingsForm.inc.php
+ *
+ * Copyright (c) 2021-2025 AshVisualTheme
+ * Copyright (c) 2014-2025 Simon Fraser University
+ * Copyright (c) 2003-2025 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ * @class SecurityHeadersSettingsForm
+ * @brief Form for managing the Security Headers plugin settings.
+ */
+
+import('lib.pkp.classes.core.PKPApplication');
+import('lib.pkp.classes.form.Form');
+import('lib.pkp.classes.form.validation.FormValidatorCSRF');
+import('lib.pkp.classes.form.validation.FormValidatorPost');
+import('lib.pkp.classes.notification.PKPNotification');
+import('lib.pkp.classes.notification.PKPNotificationManager');
+import('lib.pkp.classes.template.PKPTemplateManager');
+
+class SecurityHeadersSettingsForm extends Form
+{
+    public SecurityHeadersPlugin $plugin;
+    private $settingKeys;
+
+    public function __construct(SecurityHeadersPlugin $plugin)
+    {
+        parent::__construct($plugin->getTemplateResource('settings.tpl'));
+        $this->plugin = $plugin;
+
+        $this->settingKeys = [
+            'headerXfo',
+            'headerXcto',
+            'headerXxss',
+            'headerCsp',
+            'headerCoep',
+            'headerCoop',
+            'headerCorp',
+            'headerPp',
+            'headerRp',
+            'headerHsts'
+        ];
+
+        $this->addCheck(new FormValidatorPost($this));
+        $this->addCheck(new FormValidatorCSRF($this));
+    }
+
+    public function initData()
+    {
+        $context = PKPApplication::get()->getRequest()->getContext();
+        $contextId = $context ? $context->getId() : CONTEXT_SITE;
+        $defaultHeaders = $this->plugin->getDefaultHeaders();
+
+        $settingMap = [
+            'headerXfo' => 'X-Frame-Options',
+            'headerXcto' => 'X-Content-Type-Options',
+            'headerXxss' => 'X-XSS-Protection',
+            'headerCsp' => 'Content-Security-Policy',
+            'headerCoep' => 'Cross-Origin-Embedder-Policy',
+            'headerCoop' => 'Cross-Origin-Opener-Policy',
+            'headerCorp' => 'Cross-Origin-Resource-Policy',
+            'headerPp' => 'Permissions-Policy',
+            'headerRp' => 'Referrer-Policy',
+            'headerHsts' => 'Strict-Transport-Security',
+        ];
+
+        foreach ($this->settingKeys as $key) {
+            $savedValue = $this->plugin->getSetting($contextId, $key);
+
+            if ($savedValue === null) {
+                $headerName = $settingMap[$key] ?? null;
+                if ($headerName && isset($defaultHeaders[$headerName])) {
+                    $this->setData($key, $defaultHeaders[$headerName]);
+                }
+            } else {
+                $this->setData($key, $savedValue);
+            }
+        }
+
+        parent::initData();
+    }
+
+    public function readInputData()
+    {
+        $this->readUserVars($this->settingKeys);
+        parent::readInputData();
+    }
+
+    public function fetch($request, $template = null, $display = false)
+    {
+        $templateMgr = PKPTemplateManager::getManager($request);
+        $templateMgr->assign('pluginName', $this->plugin->getName());
+        return parent::fetch($request, $template, $display);
+    }
+
+    public function execute(...$functionArgs)
+    {
+        $context = PKPApplication::get()->getRequest()->getContext();
+        $contextId = $context ? $context->getId() : CONTEXT_SITE;
+
+        foreach ($this->settingKeys as $key) {
+            $value = $this->getData($key);
+            $sanitizedValue = is_string($value) ? preg_replace('/[\r\n]/', '', $value) : $value;
+            $this->plugin->updateSetting($contextId, $key, $sanitizedValue);
+        }
+
+        $notificationMgr = new PKPNotificationManager();
+        $notificationMgr->createTrivialNotification(
+            PKPApplication::get()->getRequest()->getUser()->getId(),
+            NOTIFICATION_TYPE_SUCCESS,
+            ['contents' => __('common.changesSaved')]
+        );
+
+        return parent::execute(...$functionArgs);
+    }
+}

SecurityHeadersSettingsForm.inc.php

@@ -0,0 +1,17 @@
+<?php
+
+/**
+ * @file plugins/generic/securityHeaders/index.php
+ *
+ * Copyright (c) 2021-2025 AshVisualTheme
+ * Copyright (c) 2014-2025 Simon Fraser University
+ * Copyright (c) 2003-2025 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ * @ingroup plugins_generic_securityHeaders
+ * @brief Wrapper for the security headers plugin.
+ *
+ */
+
+require_once('SecurityHeadersPlugin.inc.php');
+return new SecurityHeadersPlugin();