summaryrefslogtreecommitdiff
path: root/apache2/conf-available/local-securityheaders.conf
diff options
context:
space:
mode:
Diffstat (limited to 'apache2/conf-available/local-securityheaders.conf')
-rw-r--r--apache2/conf-available/local-securityheaders.conf46
1 files changed, 0 insertions, 46 deletions
diff --git a/apache2/conf-available/local-securityheaders.conf b/apache2/conf-available/local-securityheaders.conf
deleted file mode 100644
index 07e5723..0000000
--- a/apache2/conf-available/local-securityheaders.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# Security headers
-# More info: <https://securityheaders.com/>
-
-# enable HSTS
-# <http://www.debian-administration.org/articles/662>
-<IfDefine !_NO_HSTS>
-<IfDefine !_NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-</IfDefine>
-</IfDefine>
-<IfDefine _NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000"
-</IfDefine>
-</IfDefine>
-</IfDefine>
-
-# Avoid Clickjack attacks
-Header always set X-Frame-Options "SAMEORIGIN"
-
-# Enable reflective XSS protection and block response when detecting an attack
-Header always set X-Xss-Protection "1; mode=block"
-
-# Use strict MIME types
-Header always set X-Content-Type-Options "nosniff"
-
-# Do not send the referrer header when navigating from HTTPS to HTTP,
-# but always send the full URL when navigating from HTTP to any origin.
-# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
-# and disallow any other resources to load (eg object, frame, media, etc).
-# More info: <https://content-security-policy.com/>
-Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
-
-# More info: <https://www.w3.org/TR/permissions-policy-1/>
-# feature list: <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
-Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-14 03:20:21 +0000