diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2020-10-19 16:46:02 +0200 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2020-10-19 16:46:02 +0200 |
| commit | 3e2b5fc4e50e23db8c3f539b88ea4ebadf7eaaec (patch) | |
| tree | 88ad47ff801a78b42ec44b73699b48714f1a4192 | |
| parent | 6c01605f1953e2331e28b7d6b41266c48a88aae8 (diff) | |
tighten conf snippet local-securityheaders to always set Referrer-Policy Content-Security-Policy Permissions-Policy (not only on success)
| -rw-r--r-- | apache2/conf-available/local-securityheaders.conf | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/apache2/conf-available/local-securityheaders.conf b/apache2/conf-available/local-securityheaders.conf index 7f44eed..ce8561f 100644 --- a/apache2/conf-available/local-securityheaders.conf +++ b/apache2/conf-available/local-securityheaders.conf @@ -34,13 +34,13 @@ Header always set X-Content-Type-Options "nosniff" # Do not send the referrer header when navigating from HTTPS to HTTP, # but always send the full URL when navigating from HTTP to any origin. # More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/> -Header set Referrer-Policy "no-referrer-when-downgrade" +Header always set Referrer-Policy "no-referrer-when-downgrade" # Allow images, scripts, AJAX, form actions, and CSS from the same origin, # and disallow any other resources to load (eg object, frame, media, etc). # More info: <https://content-security-policy.com/> -Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';" +Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';" # More info: <https://www.w3.org/TR/permissions-policy-1/> # feature list: <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md> -Header set Permissions-Policy "accelerometer(self), ambient-light-sensor(self), autoplay(self), battery(self), camera(self), cross-origin-isolated(self), display-capture(self), document-domain(self), encrypted-media(self), execution-while-not-rendered(self), execution-while-out-of-viewport(self), fullscreen(self), geolocation(self), gyroscope(self), magnetometer(self), microphone(self), midi(self), navigation-override(self), payment(self), picture-in-picture(self), publickey-credentials-get(self), screen-wake-lock(self), sync-xhr(self), usb(self), web-share(self), xr-spatial-tracking(self)" +Header always set Permissions-Policy "accelerometer(self), ambient-light-sensor(self), autoplay(self), battery(self), camera(self), cross-origin-isolated(self), display-capture(self), document-domain(self), encrypted-media(self), execution-while-not-rendered(self), execution-while-out-of-viewport(self), fullscreen(self), geolocation(self), gyroscope(self), magnetometer(self), microphone(self), midi(self), navigation-override(self), payment(self), picture-in-picture(self), publickey-credentials-get(self), screen-wake-lock(self), sync-xhr(self), usb(self), web-share(self), xr-spatial-tracking(self)" |