Skip to content

Add robots.txt and Referrer-Policy meta tag#91

Open
santichausis wants to merge 1 commit into
gea-ecobricks:new-mainfrom
santichausis:fix/robots-security-headers
Open

Add robots.txt and Referrer-Policy meta tag#91
santichausis wants to merge 1 commit into
gea-ecobricks:new-mainfrom
santichausis:fix/robots-security-headers

Conversation

@santichausis

Copy link
Copy Markdown

Summary

  • Adds robots.txt disallowing /scripts/, /api/, /includes/, /meta/, /translations/ — none of these are meant to be visited as standalone pages (they're internal admin tools, raw JSON endpoints, or PHP/JS partials require'd by real pages), so there's no reason for them to be crawled or indexed. Points to both sitemap.xml and sitemap-multilingual.xml.
  • Adds <meta name="referrer" content="strict-origin-when-cross-origin"> to header-2025.php, which is loaded on every page.

Why not the other usual security headers (X-Content-Type-Options, X-Frame-Options, HSTS, CSP)?

Wanted to flag this rather than silently skip it or half-implement something that looks like it works but doesn't:

  1. This repo's own .gitignore has .htaccess* under "Core server / hosting clutter" — .htaccess is explicitly excluded from version control here, presumably because it's managed directly on the live server. Adding one in this PR would go against that existing convention (and could conflict with whatever the server already has).
  2. Setting these via PHP's header() doesn't work as an alternative: every page (en/how.php, etc.) starts with literal <!DOCTYPE html> output before includes/{page}-inc2.php requires header-2025.php — so a header() call placed in header-2025.php would hit "headers already sent" on every real page and silently no-op.
  3. <meta> tags don't have that "already sent" restriction, which is why Referrer-Policy could be done this way — but X-Content-Type-Options and X-Frame-Options have no meta-tag equivalent that any browser honors; they require a real HTTP header.
  4. CSP could technically go in a <meta http-equiv="Content-Security-Policy"> tag, but I didn't want to guess at a policy without being able to test it against every external resource the site actually loads (fonts.googleapis.com, unpkg.com/leaflet, SVGator, Facebook widgets, etc.) — a wrong CSP silently breaks functionality rather than failing loudly.

Recommendation: add X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, and HSTS directly in the live server's .htaccess/vhost config (outside this repo, consistent with how .htaccess is already handled). Happy to help draft a CSP in a follow-up if someone can test it against staging/beta.ecobricks.org first.

Testing

  • Confirmed robots.txt isn't caught by any existing .gitignore rule (git check-ignore returns nothing).
  • php -l on header-2025.php — no syntax errors.
  • No test suite/CI in this repo to run beyond that.

robots.txt disallows crawling of internal-only directories that are
never meant to be visited as standalone pages: /scripts/ (internal
admin/migration tools), /api/ (raw JSON endpoints), /includes/, /meta/,
and /translations/ (PHP/JS partials loaded by other pages). Points to
both existing sitemaps.

Also adds <meta name="referrer" content="strict-origin-when-cross-origin">
to header-2025.php, loaded on every page.

Note on the other commonly-recommended security headers
(X-Content-Type-Options, X-Frame-Options, HSTS, CSP): this repo's own
.gitignore explicitly excludes .htaccess* from version control, and
every page here echoes HTML (the opening <!DOCTYPE html>) before
header-2025.php is ever required -- so a PHP header() call placed
there would fail with "headers already sent" on every real page.
Meta tags don't have that restriction (hence going that route for
Referrer-Policy), but X-Content-Type-Options/X-Frame-Options have no
meta-tag equivalent that browsers honor, and CSP isn't safe to guess
at without a way to test it against every external resource the site
loads (fonts.googleapis.com, unpkg.com/leaflet, SVGator, Facebook
widgets, etc.). Recommend adding those directly to the server's
own .htaccess/vhost config outside this repo, per its existing
gitignore convention.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant