[4.0] [plg_system_httpheader] Implement security http headers per default and create the posibility to add custom http headers

administrator/components/com_admin/sql/updates/mysql/4.0.0-2017-10-10.sql

@@ -0,0 +1,6 @@
+INSERT INTO `#__extensions` (`extension_id`, `name`, `type`, `element`, `folder`, `client_id`, `enabled`, `access`, `protected`, `manifest_cache`, `params`, `custom_data`, `system_data`, `checked_out`, `checked_out_time`, `ordering`, `state`) VALUES
+(486, 'plg_system_httpheader', 'plugin', 'httpheader', 'system', 0, 1, 1, 0, '', '{}', '', '', 0, '0000-00-00 00:00:00', 0, 0);
+
+INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `action_key`, `language_extension`, `language_client_id`, `type`, `action_file`, `action`, `condition_file`, `condition_method`, `version_introduced`, `enabled`)
+VALUES
+(NULL, 486, 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_TITLE', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_BODY', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_ACTION', 'plg_system_httpheader', 1, 'action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_condition', '4.0.0', 1);

administrator/components/com_admin/sql/updates/postgresql/4.0.0-2017-10-10.sql

@@ -0,0 +1,6 @@
+INSERT INTO "#__extensions" ("extension_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "manifest_cache", "params", "custom_data", "system_data", "checked_out", "checked_out_time", "ordering", "state") VALUES
+(486, 'plg_system_httpheader', 'plugin', 'httpheader', 'system', 0, 1, 1, 0, '', '{}', '', '', 0, '0000-00-00 00:00:00', 0, 0);
+
+INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "action_key", "language_extension", "language_client_id", "type", "action_file", "action", "condition_file", "condition_method", "version_introduced", "enabled")
+VALUES
+(NULL, 486, 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_TITLE', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_BODY', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_ACTION', 'plg_system_httpheader', 1, 'action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_condition', '4.0.0', 1);

administrator/language/en-GB/en-GB.plg_system_httpheader.sys.ini

@@ -0,0 +1,31 @@
+; Joomla! Project
+; Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.
+; License GNU General Public License version 2 or later; see LICENSE.txt, see LICENSE.php
+; Note : All ini files need to be saved as UTF-8
+
+PLG_SYSTEM_HTTPHEADER="System - HTTPHeader"
+PLG_SYSTEM_HTTPHEADER_XML_DESCRIPTION="This Plugin can set some Security HTTP Headers"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER="Define additional HTTP Header"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_DESC="Using this you can set also different values from the default ones and also additional headers when it is supported. The supported headers are: <br><ul><li>Strict-Transport-Security</li><li>Content-Security-Policy</li><li>Content-Security-Policy-Report-Only</li><li>X-Frame-Options</li><li>X-XSS-Protection</li><li>X-Content-Type-Options</li><li>Referrer-Policy</li><li>Expect-CT</li></ul>"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT="Site selection"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT_SITE="Site"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT_ADMINISTRATOR="Administrator"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT_BOTH="Both"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY="HTTP Header"
+PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE="HTTP Header Value"
+PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_TITLE="HTTP Security Headers are available"
+PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_BODY="Joomla! comes with a built-in plugin that handle http security headers. It secures your site by setting the following headers with the default values:<br><ul><li><a href='https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options'>'X-Frame-Options: SAMEORIGIN'</a></li><li><a href='https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection'>'X-XSS-Protection: 1; mode=block'</a></li><li><a href='https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options'>'X-Content-Type-Options: nosniff'</a></li><li><a href='https://scotthelme.co.uk/a-new-security-header-referrer-policy/'>'Referrer-Policy: no-referrer-when-downgrade'</a></li></ul><br><br>The full list of supported headers are: <br><ul><li><a href='https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security'>Strict-Transport-Security</a></li><li><a href='https://en.wikipedia.org/wiki/Content_Security_Policy'>Content-Security-Policy</a></li><li>Content-Security-Policy-Report-Only</li><li>X-Frame-Options</li><li>X-XSS-Protection</li><li>X-Content-Type-Options</li><li>Referrer-Policy</li><li>Expect-CT</li></ul><br><br>These headers help your browser to protect your website from <a href='https://en.wikipedia.org/wiki/Cross-site_scripting'>XSS</a> and <a href='https://en.wikipedia.org/wiki/Clickjacking'>Clickjacking</a> attacks."
+PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_ACTION="Enable default security headers"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY="Referrer-Policy"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_EMPTY_STRING="Empty String"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_NO_REFERRER="no-referrer"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_NO_REFERRER_WHEN_DOWNGRADE="no-referrer-when-downgrade"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_SAME_ORIGIN="same-origin"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_ORIGIN="origin"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_STRICT_ORIGIN="strict-origin"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_ORIGIN_WHEN_CROSS_ORIGIN="origin-when-cross-origin"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_STRICT_ORIGIN_WEHN_CROSS_ORIGIN="strict-origin-when-cross-origin"
+PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_UNSAFE_URL="unsafe-url"
+PLG_SYSTEM_HTTPHEADER_XCONTENTTYPEOPTIONS="X-Content-Type-Options"
+PLG_SYSTEM_HTTPHEADER_XFRAMEOPTIONS="X-Frame-Options"
+PLG_SYSTEM_HTTPHEADER_XXSSPROTECTION="X-XSS-Protection"

installation/sql/mysql/joomla.sql

@@ -641,6 +641,7 @@ INSERT INTO `#__extensions` (`extension_id`, `package_id`, `name`, `type`, `elem
 (483, 0, 'plg_media-action_crop', 'plugin', 'crop', 'media-action', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0, ''),
 (484, 0, 'plg_media-action_resize', 'plugin', 'resize', 'media-action', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0, ''),
 (485, 0, 'plg_media-action_rotate', 'plugin', 'rotate', 'media-action', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0, ''),
+(486, 0, 'plg_system_httpheader', 'plugin', 'httpheader', 'system', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0, ''),
 (509, 0, 'atum', 'template', 'atum', '', 1, 1, 1, 0, '', '', 0, '0000-00-00 00:00:00', 0, 0, ''),
 (510, 0, 'aurora', 'template', 'aurora', '', 0, 1, 1, 0, '', '{"logoFile":"","fluidContainer":"0","sidebarLeftWidth":"3","sidebarRightWidth":"3"}', 0, '0000-00-00 00:00:00', 0, 0, ''),
 (600, 802, 'English (en-GB)', 'language', 'en-GB', '', 0, 1, 1, 1, '', '', 0, '0000-00-00 00:00:00', 0, 0, ''),
@@ -1638,7 +1639,8 @@ INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description
 (700, 'COM_CPANEL_WELCOME_BEGINNERS_TITLE', 'COM_CPANEL_WELCOME_BEGINNERS_MESSAGE', '', 'com_cpanel', 1, 'message', '', '', '', '', '3.2.0', 1),
 (700, 'COM_CPANEL_MSG_STATS_COLLECTION_TITLE', 'COM_CPANEL_MSG_STATS_COLLECTION_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/statscollection.php', 'admin_postinstall_statscollection_condition', '3.5.0', 1),
 (700, 'PLG_SYSTEM_UPDATENOTIFICATION_POSTINSTALL_UPDATECACHETIME', 'PLG_SYSTEM_UPDATENOTIFICATION_POSTINSTALL_UPDATECACHETIME_BODY', 'PLG_SYSTEM_UPDATENOTIFICATION_POSTINSTALL_UPDATECACHETIME_ACTION', 'plg_system_updatenotification', 1, 'action', 'site://plugins/system/updatenotification/postinstall/updatecachetime.php', 'updatecachetime_postinstall_action', 'site://plugins/system/updatenotification/postinstall/updatecachetime.php', 'updatecachetime_postinstall_condition', '3.6.3', 1),
-(700, 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_TITLE', 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/joomla40checks.php', 'admin_postinstall_joomla40checks_condition', '3.7.0', 1);
+(700, 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_TITLE', 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/joomla40checks.php', 'admin_postinstall_joomla40checks_condition', '3.7.0', 1),
+(486, 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_TITLE', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_BODY', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_ACTION', 'plg_system_httpheader', 1, 'action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_condition', '4.0.0', 1);
 
 -- --------------------------------------------------------
 

installation/sql/postgresql/joomla.sql

@@ -652,6 +652,7 @@ INSERT INTO "#__extensions" ("extension_id", "package_id", "name", "type", "elem
 (483, 0, 'plg_media-action_crop', 'plugin', 'crop', 'media-action', 0, 1, 1, 0, '', '{}', 0, '1970-01-01 00:00:00', 0, 0, ''),
 (484, 0, 'plg_media-action_resize', 'plugin', 'resize', 'media-action', 0, 1, 1, 0, '', '{}', 0, '1970-01-01 00:00:00', 0, 0, ''),
 (485, 0, 'plg_media-action_rotate', 'plugin', 'rotate', 'media-action', 0, 1, 1, 0, '', '{}', 0, '1970-01-01 00:00:00', 0, 0, ''),
+(486, 0, 'plg_system_httpheader', 'plugin', 'httpheader', 'system', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0, ''),
 (600, 802, 'English (en-GB)', 'language', 'en-GB', '', 0, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0, ''),
 (601, 802, 'English (en-GB)', 'language', 'en-GB', '', 1, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0, ''),
 (700, 0, 'files_joomla', 'file', 'joomla', '', 0, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0, ''),
@@ -1620,7 +1621,8 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description
 (700, 'COM_CPANEL_WELCOME_BEGINNERS_TITLE', 'COM_CPANEL_WELCOME_BEGINNERS_MESSAGE', '', 'com_cpanel', 1, 'message', '', '', '', '', '3.2.0', 1),
 (700, 'COM_CPANEL_MSG_STATS_COLLECTION_TITLE', 'COM_CPANEL_MSG_STATS_COLLECTION_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/statscollection.php', 'admin_postinstall_statscollection_condition', '3.5.0', 1),
 (700, 'PLG_SYSTEM_UPDATENOTIFICATION_POSTINSTALL_UPDATECACHETIME', 'PLG_SYSTEM_UPDATENOTIFICATION_POSTINSTALL_UPDATECACHETIME_BODY', 'PLG_SYSTEM_UPDATENOTIFICATION_POSTINSTALL_UPDATECACHETIME_ACTION', 'plg_system_updatenotification', 1, 'action', 'site://plugins/system/updatenotification/postinstall/updatecachetime.php', 'updatecachetime_postinstall_action', 'site://plugins/system/updatenotification/postinstall/updatecachetime.php', 'updatecachetime_postinstall_condition', '3.6.3', 1),
-(700, 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_TITLE', 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/joomla40checks.php', 'admin_postinstall_joomla40checks_condition', '3.7.0', 1);
+(700, 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_TITLE', 'COM_CPANEL_MSG_JOOMLA40_PRE_CHECKS_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/joomla40checks.php', 'admin_postinstall_joomla40checks_condition', '3.7.0', 1),
+(486, 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_TITLE', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_BODY', 'PLG_SYSTEM_HTTPHEADER_POSTINSTALL_INTRODUCTION_ACTION', 'plg_system_httpheader', 1, 'action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_action', 'site://plugins/system/httpheader/postinstall/introduction.php', 'httpheader_postinstall_condition', '4.0.0', 1);
 
 --
 -- Table structure for table `#__redirect_links`

plugins/system/httpheader/httpheader.php

@@ -0,0 +1,129 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.HttpHeader
+ *
+ * @copyright   Copyright (C) 2005 - 2017 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\Event\SubscriberInterface;
+
+/**
+ * Plugin class for HTTP Header
+ *
+ * @since  __DEPLOY_VERSION__
+ */
+class PlgSystemHttpHeader extends CMSPlugin implements SubscriberInterface
+{
+	/**
+	 * If true, language files will be loaded automatically.
+	 *
+	 * @var    boolean
+	 * @since  __DEPLOY_VERSION__
+	 */
+	protected $autoloadLanguage = true;
+
+	/**
+	 * Application object.
+	 *
+	 * @var    JApplicationCms
+	 * @since  __DEPLOY_VERSION__
+	 */
+	protected $app;
+
+	/**
+	 * The list of the supported HTTP headers
+	 *
+	 * @var    array
+	 * @since  __DEPLOY_VERSION__
+	 */
+	protected $supportedHttpHeaders = [
+		'Strict-Transport-Security',
+		'Content-Security-Policy',
+		'Content-Security-Policy-Report-Only',
+		'X-Frame-Options',
+		'X-XSS-Protection',
+		'X-Content-Type-Options',
+		'Referrer-Policy',
+		// Upcoming Header
+		'Expect-CT',
+	];
+
+	/**
+	 * Returns an array of events this subscriber will listen to.
+	 *
+	 * @return  array
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function getSubscribedEvents()
+	{
+		return [
+			'onAfterInitialise' => 'setHttpHeaders',
+		];
+	}
+
+	/**
+	 * The `setHttpHeaders` methode handle the setting of the configured HTTP Headers
+	 *
+	 * @return  void
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function setHttpHeaders()
+	{
+		$this->setDefaultHeader();
+
+		// Handle the additional httpheader
+		$httpHeaders = $this->params->get('additional_httpheader', array());
+
+		foreach ($httpHeaders as $httpHeader)
+		{
+			// Handle the client settings for each header
+			if (!$this->app->isClient($httpHeader->client) && $httpHeader->client != 'both')
+			{
+				continue;
+			}
+
+			if (in_array($httpHeader->key, $this->supportedHttpHeaders))
+			{
+				$this->app->setHeader($httpHeader->key, $httpHeader->value, true);
+			}
+		}
+	}
+
+	/**
+	 * Set the default headers when enabled
+	 *
+	 * @return  void
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private function setDefaultHeader()
+	{
+		// X-Frame-Options
+		if ($this->params->get('xframeoptions', 1) === 1)
+		{
+			$this->app->setHeader('X-Frame-Options', 'SAMEORIGIN');
+		}
+
+		// X-XSS-Protection
+		if ($this->params->get('xxssprotection', 1) === 1)
+		{
+			$this->app->setHeader('X-XSS-Protection', '1; mode=block');
+		}
+
+		// X-Content-Type-Options
+		if ($this->params->get('xcontenttypeoptions', 1) === 1)
+		{
+			$this->app->setHeader('X-Content-Type-Options', 'nosniff');
+		}
+
+		// Referrer-Policy
+		$this->app->setHeader('Referrer-Policy', $this->params->get('referrerpolicy', 'no-referrer-when-downgrade'));
+	}
+}

plugins/system/httpheader/httpheader.xml

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="utf-8"?>
+<extension version="4.0" type="plugin" group="system" method="upgrade">
+	<name>plg_system_httpheader</name>
+	<author>Joomla! Project</author>
+	<creationDate>October 2017</creationDate>
+	<copyright>Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.</copyright>
+	<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
+	<authorEmail>[email protected]</authorEmail>
+	<authorUrl>www.joomla.org</authorUrl>
+	<version>4.0.0</version>
+	<description>PLG_SYSTEM_HTTPHEADER_XML_DESCRIPTION</description>
+	<files>
+		<folder>subform</folder>
+		<filename plugin="httpheader">httpheader.php</filename>
+	</files>
+	<config>
+		<fields name="params">
+			<fieldset name="basic">
+				<field
+					name="xframeoptions"
+					type="radio"
+					label="PLG_SYSTEM_HTTPHEADER_XFRAMEOPTIONS"
+					class="switcher"
+					default="1"
+					>
+					<option value="0">JDISABLED</option>
+					<option value="1">JENABLED</option>
+				</field>
+				<field
+					name="xxssprotection"
+					type="radio"
+					label="PLG_SYSTEM_HTTPHEADER_XXSSPROTECTION"
+					class="switcher"
+					default="1"
+					>
+					<option value="0">JDISABLED</option>
+					<option value="1">JENABLED</option>
+				</field>
+				<field
+					name="xcontenttypeoptions"
+					type="radio"
+					label="PLG_SYSTEM_HTTPHEADER_XCONTENTTYPEOPTIONS"
+					class="switcher"
+					default="1"
+					>
+					<option value="0">JDISABLED</option>
+					<option value="1">JENABLED</option>
+				</field>
+				<field
+					name="referrerpolicy"
+					type="list"
+					label="PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY"
+					default="no-referrer-when-downgrade"
+					>
+					<option value="">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_EMPTY_STRING</option>
+					<option value="no-referrer">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_NO_REFERRER</option>
+					<option value="no-referrer-when-downgrade">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_NO_REFERRER_WHEN_DOWNGRADE</option>
+					<option value="same-origin">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_SAME_ORIGIN</option>
+					<option value="origin">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_ORIGIN</option>
+					<option value="strict-origin">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_STRICT_ORIGIN</option>
+					<option value="origin-when-cross-origin">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_ORIGIN_WHEN_CROSS_ORIGIN</option>
+					<option value="strict-origin-when-cross-origin">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_STRICT_ORIGIN_WEHN_CROSS_ORIGIN</option>
+					<option value="unsafe-url">PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_UNSAFE_URL</option>
+				</field>
+				<field
+					name="additional_httpheader"
+					type="subform"
+					label="PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER"
+					description="PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_DESC"
+					formsource="plugins/system/httpheader/subform/customhttpheader.xml"
+					multiple="true"
+				/>
+			</fieldset>
+		</fields>
+	</config>
+</extension>

plugins/system/httpheader/postinstall/introduction.php

@@ -0,0 +1,44 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  system.httpheader
+ *
+ * @copyright   Copyright (C) 2005 - 2017 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ *
+ */
+
+/**
+ * Checks if the plugin is enabled. If not it returns true, meaning that the
+ * message concerning the HTTPHeader Plugin should be displayed.
+ *
+ * @return  integer
+ *
+ * @since   4.0
+ */
+function httpheader_postinstall_condition()
+{
+	return Joomla\CMS\Plugin\PluginHelper::isEnabled('system', 'httpheader');
+}
+
+/**
+ * Enables the HTTPHeader plugin
+ *
+ * @return  void
+ *
+ * @since   4.0
+ */
+function httpheader_postinstall_action()
+{
+	// Enable the plugin
+	$db = JFactory::getDbo();
+
+	$query = $db->getQuery(true)
+		->update($db->qn('#__extensions'))
+		->set($db->qn('enabled') . ' = ' . $db->q(1))
+		->where($db->qn('type') . ' = ' . $db->q('plugin'))
+		->where($db->qn('folder') . ' = ' . $db->q('system'))
+		->where($db->qn('element') . ' = ' . $db->q('plg_system_httpheader'));
+	$db->setQuery($query);
+	$db->execute();
+}

plugins/system/httpheader/subform/customhttpheader.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form>
+	<field
+		name="key"
+		type="text"
+		label="PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY"
+	/>
+	<field
+		name="value"
+		type="text"
+		label="PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE"
+	/>
+	<field
+		name="client"
+		type="radio"
+		label="PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT"
+		default="site"
+		>
+		<option value="site">PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT_SITE</option>
+		<option value="administrator">PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT_ADMINISTRATOR</option>
+		<option value="both">PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_CLIENT_BOTH</option>
+	</field>
+</form>