Hardens FlatPress via HTTP response header

Fixes #146

Can be optionally activated by the FlatPress admin

 * Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content.
 * Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
 * HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
 * The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
 * HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking.
 * The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests.

defaults.php

@@ -124,6 +124,7 @@ $serverport = "false";
 // Unterstützung für Apache und IIS
 ini_set('session.cookie_secure', 1);
 ini_set('session.cookie_httponly', 1);
+ini_set('session.cookie_samesite', 'Lax');
 if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
 	$serverport = "https://";
 } else {

fp-plugins/fpprotect/doc_fpprotect.txt

@@ -0,0 +1,16 @@
+FlatPress Protect
+=================
+
+Description
+-----------
+Protect your blog with additional fetures in the HTTP response header
+
+ * Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content.
+ * Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
+ * HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
+ * The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
+ * HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking.
+ * The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests.
+
+Here you can check the security of your Flatpress blog
+https://securityheaders.com/

fp-plugins/fpprotect/plugin.fpprotect.php

@@ -0,0 +1,23 @@
+<?php
+/*
+ * Plugin Name: FlatPress Protect
+ * Plugin URI: http://www.flatpress.org/
+ * Description: Protect your blog with additional fetures in the HTTP response header. <a href="./fp-plugins/fpprotect/doc_fpprotect.txt" title="More information" target="_blank">[More information]</a>
+ * Author: FlatPress
+ * Version: 1.0
+ * Author URI: https://www.flatpress.org
+ */
+
+// Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM
+header('Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
+header('X-Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
+header('X-WebKit-CSP: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
+// End of Content Security Policy rules
+header('Feature-Policy: interest-cohort \'none\'; autoplay \'self\'; camera \'self\'; fullscreen \'self\'; geolocation \'self\'; microphone \'self\'; payment \'none\';'); // Goodbye Feature Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
+header('Permissions-Policy: interest-cohort=(), autoplay=(self), camera=(self), fullscreen=(self), geolocation=(self), microphone=(self), payment=(),'); // Hello Permissions Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
+header('Referrer-Policy: strict-origin-when-cross-origin');
+header('Strict-Transport-Security: max-age=15552000; includeSubDomains');
+header('X-Permitted-Cross-Domain-Policies: none');
+header('X-Download-Options: noopen');
+?>
+