summaryrefslogtreecommitdiff
path: root/apache2/conf-available/local-securityheaders.conf
blob: ce8561fd25e3351f05be1b7d85b438baff492fb1 (plain) 
    

  1. # Security headers
    2. 

  2. # More info: <https://securityheaders.com/>
    3. 

  3. 

  4. # enable HSTS
    5. 

  5. # <http://www.debian-administration.org/articles/662>
    6. 

  6. <IfDefine !_NO_HSTS>
    7. 

  7. <IfDefine !_NO_HSTS_SUBDOMAINS>
    8. 

  8. <IfDefine !_NO_HSTS_PRELOAD>
    9. 

  9.     Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
    10. 

  10. </IfDefine>
    11. 

  11. <IfDefine _NO_HSTS_PRELOAD>
    12. 

  12.     Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
    13. 

  13. </IfDefine>
    14. 

  14. </IfDefine>
    15. 

  15. <IfDefine _NO_HSTS_SUBDOMAINS>
    16. 

  16. <IfDefine !_NO_HSTS_PRELOAD>
    17. 

  17.     Header set Strict-Transport-Security: "max-age=15768000;preload"
    18. 

  18. </IfDefine>
    19. 

  19. <IfDefine _NO_HSTS_PRELOAD>
    20. 

  20.     Header set Strict-Transport-Security: "max-age=15768000"
    21. 

  21. </IfDefine>
    22. 

  22. </IfDefine>
    23. 

  23. </IfDefine>
    24. 

  24. 

  25. # Avoid Clickjack attacks
    26. 

  26. Header always set X-Frame-Options "SAMEORIGIN"
    27. 

  27. 

  28. # Enable reflective XSS protection and block response when detecting an attack
    29. 

  29. Header always set X-Xss-Protection "1; mode=block"
    30. 

  30. 

  31. # Use strict MIME types
    32. 

  32. Header always set X-Content-Type-Options "nosniff"
    33. 

  33. 

  34. # Do not send the referrer header when navigating from HTTPS to HTTP,
    35. 

  35. # but always send the full URL when navigating from HTTP to any origin.
    36. 

  36. # More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
    37. 

  37. Header always set Referrer-Policy "no-referrer-when-downgrade"
    38. 

  38. 

  39. # Allow images, scripts, AJAX, form actions, and CSS from the same origin,
    40. 

  40. # and disallow any other resources to load (eg object, frame, media, etc).
    41. 

  41. # More info: <https://content-security-policy.com/>
    42. 

  42. Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
    43. 

  43. 

  44. # More info: <https://www.w3.org/TR/permissions-policy-1/>
    45. 

  45. # feature list: <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
    46. 

  46. Header always set Permissions-Policy "accelerometer(self), ambient-light-sensor(self), autoplay(self), battery(self), camera(self), cross-origin-isolated(self), display-capture(self), document-domain(self), encrypted-media(self), execution-while-not-rendered(self), execution-while-out-of-viewport(self), fullscreen(self), geolocation(self), gyroscope(self), magnetometer(self), microphone(self), midi(self), navigation-override(self), payment(self), picture-in-picture(self), publickey-credentials-get(self), screen-wake-lock(self), sync-xhr(self), usb(self), web-share(self), xr-spatial-tracking(self)"
    47.
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-14 05:02:48 +0000