From cb2dcc75f1b36e20cb16529d239c7e57c97190c3 Mon Sep 17 00:00:00 2001 From: Robbie Averill Date: Mon, 9 Jan 2017 16:13:39 +1300 Subject: [PATCH 1/2] Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing --- security/Security.php | 11 +++++++++++ tests/security/SecurityTest.php | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/security/Security.php b/security/Security.php index 6e960ccbf..840af3f9d 100644 --- a/security/Security.php +++ b/security/Security.php @@ -146,6 +146,14 @@ class Security extends Controller implements TemplateGlobalProvider { */ private static $frame_options = 'SAMEORIGIN'; + /** + * Value of the X-Robots-Tag header (for the Security section) + * + * @config + * @var string + */ + private static $robots_tag = 'noindex, nofollow'; + /** * Get location of word list file * @@ -326,6 +334,9 @@ class Security extends Controller implements TemplateGlobalProvider { // Prevent clickjacking, see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options $this->getResponse()->addHeader('X-Frame-Options', $this->config()->frame_options); + + // Prevent search engines from indexing the login page + $this->getResponse()->addHeader('X-Robots-Tag', $this->config()->robots_tag); } public function index() { diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php index 45463d6fe..bd2c8ed0f 100644 --- a/tests/security/SecurityTest.php +++ b/tests/security/SecurityTest.php @@ -574,6 +574,13 @@ class SecurityTest extends FunctionalTest { Security::$force_database_is_ready = $old; } + public function testSecurityControllerSendsRobotsTagHeader() { + $response = $this->get(Config::inst()->get('Security', 'login_url')); + $robotsHeader = $response->getHeader('X-Robots-Tag'); + $this->assertNotNull($robotsHeader); + $this->assertContains('noindex', $robotsHeader); + } + /** * Execute a log-in form using Director::test(). * Helper method for the tests above From 2f6f5b5eff11736e89960fc770f3ef93fe5ef2f7 Mon Sep 17 00:00:00 2001 From: Robbie Averill Date: Wed, 11 Jan 2017 08:26:04 +1300 Subject: [PATCH 2/2] Do not send the header if it is not defined --- security/Security.php | 4 +++- tests/security/SecurityTest.php | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/security/Security.php b/security/Security.php index 840af3f9d..c6c6cd402 100644 --- a/security/Security.php +++ b/security/Security.php @@ -336,7 +336,9 @@ class Security extends Controller implements TemplateGlobalProvider { $this->getResponse()->addHeader('X-Frame-Options', $this->config()->frame_options); // Prevent search engines from indexing the login page - $this->getResponse()->addHeader('X-Robots-Tag', $this->config()->robots_tag); + if ($this->config()->robots_tag) { + $this->getResponse()->addHeader('X-Robots-Tag', $this->config()->robots_tag); + } } public function index() { diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php index bd2c8ed0f..a2206e37d 100644 --- a/tests/security/SecurityTest.php +++ b/tests/security/SecurityTest.php @@ -581,6 +581,13 @@ class SecurityTest extends FunctionalTest { $this->assertContains('noindex', $robotsHeader); } + public function testDoNotSendEmptyRobotsHeaderIfNotDefined() { + Config::inst()->update('Security', 'robots_tag', null); + $response = $this->get(Config::inst()->get('Security', 'login_url')); + $robotsHeader = $response->getHeader('X-Robots-Tag'); + $this->assertNull($robotsHeader); + } + /** * Execute a log-in form using Director::test(). * Helper method for the tests above