Feature: #91354 - Integrate server response security checks

See forge#91354


In order to evaluate potential server misconfigurations and to reduce the potential of security implications in general, a new HTTP response check is integrated to "Environment Status" and the "Security" section in the reports module.


It is evaluated whether non-standard file extensions lead to unexpected handling on the server-side, such as test.php.wrong being evaluated as PHP or test.html.wrong being served with text/html content type.

Besides that, HTTP host header injection is evaluated. In case HTTP_HOST or SERVER_NAME were reported to contain unexpected values, this is an indicator for being affected by this configuration flaw. For Apache web servers, using the configuration directive UseCanonicalName On might solve this problem.

Details are explained in TYPO3 Security Guidelines for Administrators.