diff options
Diffstat (limited to 'apache2/conf-available/security.conf.diff')
-rw-r--r-- | apache2/conf-available/security.conf.diff | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/apache2/conf-available/security.conf.diff b/apache2/conf-available/security.conf.diff new file mode 100644 index 0000000..66829ed --- /dev/null +++ b/apache2/conf-available/security.conf.diff @@ -0,0 +1,66 @@ +--- security.conf.orig ++++ security.conf +@@ -22,7 +22,7 @@ + # Set to one of: Full | OS | Minimal | Minor | Major | Prod + # where Full conveys the most information, and Prod the least. + #ServerTokens Minimal +-ServerTokens OS ++ServerTokens Prod + #ServerTokens Full + + # +@@ -60,14 +60,52 @@ + # else than declared by the content type in the HTTP headers. + # Requires mod_headers to be enabled. + # +-#Header set X-Content-Type-Options: "nosniff" ++Header always set X-Content-Type-Options: "nosniff" + + # + # Setting this header will prevent other sites from embedding pages from this + # site as frames. This defends against clickjacking attacks. + # Requires mod_headers to be enabled. + # +-#Header set X-Frame-Options: "sameorigin" ++Header always set X-Frame-Options: "sameorigin" + ++# Enable reflective XSS protection and block response when detecting an attack ++Header always set X-Xss-Protection "1; mode=block" ++ ++# Allow images, scripts, AJAX, form actions, and CSS from the same origin, ++# and disallow any other resources to load (eg object, frame, media, etc). ++# More info: <https://content-security-policy.com/> ++Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';" ++ ++# Forbid use of browser features ++# More info: <https://www.w3.org/TR/permissions-policy-1/> ++# <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md> ++Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()" ++ ++# Do not send the referrer header when navigating from HTTPS to HTTP, ++# but always send the full URL when navigating from HTTP to any origin. ++# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/> ++Header always set Referrer-Policy "no-referrer-when-downgrade" ++ ++# enable Strict Transport Security ++# <http://www.debian-administration.org/articles/662> ++<IfDefine !_NO_HSTS> ++<IfDefine !_NO_HSTS_SUBDOMAINS> ++<IfDefine !_NO_HSTS_PRELOAD> ++ Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload" ++</IfDefine> ++<IfDefine _NO_HSTS_PRELOAD> ++ Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains" ++</IfDefine> ++</IfDefine> ++<IfDefine _NO_HSTS_SUBDOMAINS> ++<IfDefine !_NO_HSTS_PRELOAD> ++ Header set Strict-Transport-Security: "max-age=15768000;preload" ++</IfDefine> ++<IfDefine _NO_HSTS_PRELOAD> ++ Header set Strict-Transport-Security: "max-age=15768000" ++</IfDefine> ++</IfDefine> ++</IfDefine> + + # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |