summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2020-10-19 20:21:04 +0200
committerJonas Smedegaard <dr@jones.dk>2020-10-19 20:21:04 +0200
commitd07729f5b66b10b80c6857c4f918c2ff4f699049 (patch)
tree66e791aa7d4db66cf4fbace6f7a3416097669d1e
parent206eb62fc7902304f4ec2d4e18991596312974da (diff)
set HSTS header unconditionally, with an age of 2 years
-rw-r--r--apache2/conf-available/security.conf20
-rw-r--r--apache2/conf-available/security.conf.diff22
2 files changed, 3 insertions, 39 deletions
diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf
index 6652f0d..2fcb473 100644
--- a/apache2/conf-available/security.conf
+++ b/apache2/conf-available/security.conf
@@ -88,24 +88,6 @@ Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), a
Header always set Referrer-Policy "no-referrer-when-downgrade"
# enable Strict Transport Security
-# <http://www.debian-administration.org/articles/662>
-<IfDefine !_NO_HSTS>
-<IfDefine !_NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-</IfDefine>
-</IfDefine>
-<IfDefine _NO_HSTS_SUBDOMAINS>
-<IfDefine !_NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;preload"
-</IfDefine>
-<IfDefine _NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000"
-</IfDefine>
-</IfDefine>
-</IfDefine>
+Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/apache2/conf-available/security.conf.diff b/apache2/conf-available/security.conf.diff
index 66829ed..c363be3 100644
--- a/apache2/conf-available/security.conf.diff
+++ b/apache2/conf-available/security.conf.diff
@@ -9,7 +9,7 @@
#ServerTokens Full
#
-@@ -60,14 +60,52 @@
+@@ -60,14 +60,34 @@
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
@@ -43,24 +43,6 @@
+Header always set Referrer-Policy "no-referrer-when-downgrade"
+
+# enable Strict Transport Security
-+# <http://www.debian-administration.org/articles/662>
-+<IfDefine !_NO_HSTS>
-+<IfDefine !_NO_HSTS_SUBDOMAINS>
-+<IfDefine !_NO_HSTS_PRELOAD>
-+ Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
-+</IfDefine>
-+<IfDefine _NO_HSTS_PRELOAD>
-+ Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
-+</IfDefine>
-+</IfDefine>
-+<IfDefine _NO_HSTS_SUBDOMAINS>
-+<IfDefine !_NO_HSTS_PRELOAD>
-+ Header set Strict-Transport-Security: "max-age=15768000;preload"
-+</IfDefine>
-+<IfDefine _NO_HSTS_PRELOAD>
-+ Header set Strict-Transport-Security: "max-age=15768000"
-+</IfDefine>
-+</IfDefine>
-+</IfDefine>
++Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet