provide tweak of conf snippet security, and drop local-securityheaders

3 files changed, 177 insertions, 46 deletions

diff --git a/apache2/conf-available/local-securityheaders.conf b/apache2/conf-available/local-securityheaders.conf
deleted file mode 100644
index 07e5723..0000000
--- a/apache2/conf-available/local-securityheaders.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# Security headers
-# More info: <https://securityheaders.com/>
-
-# enable HSTS
-# <http://www.debian-administration.org/articles/662>
-<IfDefine !_NO_HSTS>
-<IfDefine !_NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-</IfDefine>
-</IfDefine>
-<IfDefine _NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
-	Header set Strict-Transport-Security: "max-age=15768000"
-</IfDefine>
-</IfDefine>
-</IfDefine>
-
-# Avoid Clickjack attacks
-Header always set X-Frame-Options "SAMEORIGIN"
-
-# Enable reflective XSS protection and block response when detecting an attack
-Header always set X-Xss-Protection "1; mode=block"
-
-# Use strict MIME types
-Header always set X-Content-Type-Options "nosniff"
-
-# Do not send the referrer header when navigating from HTTPS to HTTP,
-# but always send the full URL when navigating from HTTP to any origin.
-# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
-# and disallow any other resources to load (eg object, frame, media, etc).
-# More info: <https://content-security-policy.com/>
-Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
-
-# More info: <https://www.w3.org/TR/permissions-policy-1/>
-# feature list: <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
-Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(),  layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf
new file mode 100644
index 0000000..6652f0d
--- /dev/null
+++ b/apache2/conf-available/security.conf
@@ -0,0 +1,111 @@
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages.
+#
+#<Directory />
+#   AllowOverride None
+#   Require all denied
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#ServerTokens Minimal
+ServerTokens Prod
+#ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#ServerSignature Off
+ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories. For example, for subversion:
+#
+#<DirectoryMatch "/\.svn">
+#   Require all denied
+#</DirectoryMatch>
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+Header always set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+Header always set X-Frame-Options: "sameorigin"
+
+# Enable reflective XSS protection and block response when detecting an attack
+Header always set X-Xss-Protection "1; mode=block"
+
+# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
+# and disallow any other resources to load (eg object, frame, media, etc).
+# More info: <https://content-security-policy.com/>
+Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
+
+# Forbid use of browser features
+# More info: <https://www.w3.org/TR/permissions-policy-1/>
+# <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
+Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(),  layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
+
+# Do not send the referrer header when navigating from HTTPS to HTTP,
+# but always send the full URL when navigating from HTTP to any origin.
+# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
+Header always set Referrer-Policy "no-referrer-when-downgrade"
+
+# enable Strict Transport Security
+# <http://www.debian-administration.org/articles/662>
+<IfDefine !_NO_HSTS>
+<IfDefine !_NO_HSTS_SUBDOMAINS>
+<IfDefine !_NO_HSTS_PRELOAD>
+	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
+</IfDefine>
+<IfDefine _NO_HSTS_PRELOAD>
+	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+</IfDefine>
+</IfDefine>
+<IfDefine _NO_HSTS_SUBDOMAINS>
+<IfDefine !_NO_HSTS_PRELOAD>
+	Header set Strict-Transport-Security: "max-age=15768000;preload"
+</IfDefine>
+<IfDefine _NO_HSTS_PRELOAD>
+	Header set Strict-Transport-Security: "max-age=15768000"
+</IfDefine>
+</IfDefine>
+</IfDefine>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/apache2/conf-available/security.conf.diff b/apache2/conf-available/security.conf.diff
new file mode 100644
index 0000000..66829ed
--- /dev/null
+++ b/apache2/conf-available/security.conf.diff
@@ -0,0 +1,66 @@
+--- security.conf.orig
++++ security.conf
+@@ -22,7 +22,7 @@
+ # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+ # where Full conveys the most information, and Prod the least.
+ #ServerTokens Minimal
+-ServerTokens OS
++ServerTokens Prod
+ #ServerTokens Full
+ 
+ #
+@@ -60,14 +60,52 @@
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+-#Header set X-Content-Type-Options: "nosniff"
++Header always set X-Content-Type-Options: "nosniff"
+ 
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+-#Header set X-Frame-Options: "sameorigin"
++Header always set X-Frame-Options: "sameorigin"
+ 
++# Enable reflective XSS protection and block response when detecting an attack
++Header always set X-Xss-Protection "1; mode=block"
++
++# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
++# and disallow any other resources to load (eg object, frame, media, etc).
++# More info: <https://content-security-policy.com/>
++Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
++
++# Forbid use of browser features
++# More info: <https://www.w3.org/TR/permissions-policy-1/>
++# <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
++Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(),  layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
++
++# Do not send the referrer header when navigating from HTTPS to HTTP,
++# but always send the full URL when navigating from HTTP to any origin.
++# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
++Header always set Referrer-Policy "no-referrer-when-downgrade"
++
++# enable Strict Transport Security
++# <http://www.debian-administration.org/articles/662>
++<IfDefine !_NO_HSTS>
++<IfDefine !_NO_HSTS_SUBDOMAINS>
++<IfDefine !_NO_HSTS_PRELOAD>
++	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
++</IfDefine>
++<IfDefine _NO_HSTS_PRELOAD>
++	Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
++</IfDefine>
++</IfDefine>
++<IfDefine _NO_HSTS_SUBDOMAINS>
++<IfDefine !_NO_HSTS_PRELOAD>
++	Header set Strict-Transport-Security: "max-age=15768000;preload"
++</IfDefine>
++<IfDefine _NO_HSTS_PRELOAD>
++	Header set Strict-Transport-Security: "max-age=15768000"
++</IfDefine>
++</IfDefine>
++</IfDefine>
+ 
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet