From 206eb62fc7902304f4ec2d4e18991596312974da Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Mon, 19 Oct 2020 19:55:31 +0200 Subject: provide tweak of conf snippet security, and drop local-securityheaders --- apache2/conf-available/local-securityheaders.conf | 46 --------- apache2/conf-available/security.conf | 111 ++++++++++++++++++++++ apache2/conf-available/security.conf.diff | 66 +++++++++++++ 3 files changed, 177 insertions(+), 46 deletions(-) delete mode 100644 apache2/conf-available/local-securityheaders.conf create mode 100644 apache2/conf-available/security.conf create mode 100644 apache2/conf-available/security.conf.diff diff --git a/apache2/conf-available/local-securityheaders.conf b/apache2/conf-available/local-securityheaders.conf deleted file mode 100644 index 07e5723..0000000 --- a/apache2/conf-available/local-securityheaders.conf +++ /dev/null @@ -1,46 +0,0 @@ -# Security headers -# More info: - -# enable HSTS -# - - - - Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload" - - - Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains" - - - - - Header set Strict-Transport-Security: "max-age=15768000;preload" - - - Header set Strict-Transport-Security: "max-age=15768000" - - - - -# Avoid Clickjack attacks -Header always set X-Frame-Options "SAMEORIGIN" - -# Enable reflective XSS protection and block response when detecting an attack -Header always set X-Xss-Protection "1; mode=block" - -# Use strict MIME types -Header always set X-Content-Type-Options "nosniff" - -# Do not send the referrer header when navigating from HTTPS to HTTP, -# but always send the full URL when navigating from HTTP to any origin. -# More info: -Header always set Referrer-Policy "no-referrer-when-downgrade" - -# Allow images, scripts, AJAX, form actions, and CSS from the same origin, -# and disallow any other resources to load (eg object, frame, media, etc). -# More info: -Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';" - -# More info: -# feature list: -Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()" diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf new file mode 100644 index 0000000..6652f0d --- /dev/null +++ b/apache2/conf-available/security.conf @@ -0,0 +1,111 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. +# +# +# AllowOverride None +# Require all denied +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens Prod +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +Header always set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +Header always set X-Frame-Options: "sameorigin" + +# Enable reflective XSS protection and block response when detecting an attack +Header always set X-Xss-Protection "1; mode=block" + +# Allow images, scripts, AJAX, form actions, and CSS from the same origin, +# and disallow any other resources to load (eg object, frame, media, etc). +# More info: +Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';" + +# Forbid use of browser features +# More info: +# +Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()" + +# Do not send the referrer header when navigating from HTTPS to HTTP, +# but always send the full URL when navigating from HTTP to any origin. +# More info: +Header always set Referrer-Policy "no-referrer-when-downgrade" + +# enable Strict Transport Security +# + + + + Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload" + + + Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains" + + + + + Header set Strict-Transport-Security: "max-age=15768000;preload" + + + Header set Strict-Transport-Security: "max-age=15768000" + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/security.conf.diff b/apache2/conf-available/security.conf.diff new file mode 100644 index 0000000..66829ed --- /dev/null +++ b/apache2/conf-available/security.conf.diff @@ -0,0 +1,66 @@ +--- security.conf.orig ++++ security.conf +@@ -22,7 +22,7 @@ + # Set to one of: Full | OS | Minimal | Minor | Major | Prod + # where Full conveys the most information, and Prod the least. + #ServerTokens Minimal +-ServerTokens OS ++ServerTokens Prod + #ServerTokens Full + + # +@@ -60,14 +60,52 @@ + # else than declared by the content type in the HTTP headers. + # Requires mod_headers to be enabled. + # +-#Header set X-Content-Type-Options: "nosniff" ++Header always set X-Content-Type-Options: "nosniff" + + # + # Setting this header will prevent other sites from embedding pages from this + # site as frames. This defends against clickjacking attacks. + # Requires mod_headers to be enabled. + # +-#Header set X-Frame-Options: "sameorigin" ++Header always set X-Frame-Options: "sameorigin" + ++# Enable reflective XSS protection and block response when detecting an attack ++Header always set X-Xss-Protection "1; mode=block" ++ ++# Allow images, scripts, AJAX, form actions, and CSS from the same origin, ++# and disallow any other resources to load (eg object, frame, media, etc). ++# More info: ++Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';" ++ ++# Forbid use of browser features ++# More info: ++# ++Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()" ++ ++# Do not send the referrer header when navigating from HTTPS to HTTP, ++# but always send the full URL when navigating from HTTP to any origin. ++# More info: ++Header always set Referrer-Policy "no-referrer-when-downgrade" ++ ++# enable Strict Transport Security ++# ++ ++ ++ ++ Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload" ++ ++ ++ Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains" ++ ++ ++ ++ ++ Header set Strict-Transport-Security: "max-age=15768000;preload" ++ ++ ++ Header set Strict-Transport-Security: "max-age=15768000" ++ ++ ++ + + # vim: syntax=apache ts=4 sw=4 sts=4 sr noet -- cgit v1.2.3