From cb2dcc75f1b36e20cb16529d239c7e57c97190c3 Mon Sep 17 00:00:00 2001 From: Robbie Averill Date: Mon, 9 Jan 2017 16:13:39 +1300 Subject: [PATCH] Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing --- security/Security.php | 11 +++++++++++ tests/security/SecurityTest.php | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/security/Security.php b/security/Security.php index 6e960ccbf..840af3f9d 100644 --- a/security/Security.php +++ b/security/Security.php @@ -146,6 +146,14 @@ class Security extends Controller implements TemplateGlobalProvider { */ private static $frame_options = 'SAMEORIGIN'; + /** + * Value of the X-Robots-Tag header (for the Security section) + * + * @config + * @var string + */ + private static $robots_tag = 'noindex, nofollow'; + /** * Get location of word list file * @@ -326,6 +334,9 @@ class Security extends Controller implements TemplateGlobalProvider { // Prevent clickjacking, see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options $this->getResponse()->addHeader('X-Frame-Options', $this->config()->frame_options); + + // Prevent search engines from indexing the login page + $this->getResponse()->addHeader('X-Robots-Tag', $this->config()->robots_tag); } public function index() { diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php index 45463d6fe..bd2c8ed0f 100644 --- a/tests/security/SecurityTest.php +++ b/tests/security/SecurityTest.php @@ -574,6 +574,13 @@ class SecurityTest extends FunctionalTest { Security::$force_database_is_ready = $old; } + public function testSecurityControllerSendsRobotsTagHeader() { + $response = $this->get(Config::inst()->get('Security', 'login_url')); + $robotsHeader = $response->getHeader('X-Robots-Tag'); + $this->assertNotNull($robotsHeader); + $this->assertContains('noindex', $robotsHeader); + } + /** * Execute a log-in form using Director::test(). * Helper method for the tests above