- # Security headers
- # More info: <https://securityheaders.com/>
- # enable HSTS
- # <http://www.debian-administration.org/articles/662>
- <IfDefine !_NO_HSTS>
- <IfDefine !_NO_HSTS_SUBDOMAINS>
- <IfDefine !_NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
- </IfDefine>
- <IfDefine _NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
- </IfDefine>
- </IfDefine>
- <IfDefine _NO_HSTS_SUBDOMAINS>
- <IfDefine !_NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000;preload"
- </IfDefine>
- <IfDefine _NO_HSTS_PRELOAD>
- Header set Strict-Transport-Security: "max-age=15768000"
- </IfDefine>
- </IfDefine>
- </IfDefine>
- # Avoid Clickjack attacks
- Header always set X-Frame-Options "SAMEORIGIN"
- # Enable reflective XSS protection and block response when detecting an attack
- Header always set X-Xss-Protection "1; mode=block"
- # Use strict MIME types
- Header always set X-Content-Type-Options "nosniff"
- # Do not send the referrer header when navigating from HTTPS to HTTP,
- # but always send the full URL when navigating from HTTP to any origin.
- # More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
- Header set Referrer-Policy "no-referrer-when-downgrade"
- # Allow images, scripts, AJAX, form actions, and CSS from the same origin,
- # and disallow any other resources to load (eg object, frame, media, etc).
- # More info: <https://content-security-policy.com/>
- Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
- # More info: <https://www.w3.org/TR/permissions-policy-1/>
- # feature list: <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
- Header set Permissions-Policy "accelerometer(self), ambient-light-sensor(self), autoplay(self), battery(self), camera(self), cross-origin-isolated(self), display-capture(self), document-domain(self), encrypted-media(self), execution-while-not-rendered(self), execution-while-out-of-viewport(self), fullscreen(self), geolocation(self), gyroscope(self), magnetometer(self), microphone(self), midi(self), navigation-override(self), payment(self), picture-in-picture(self), publickey-credentials-get(self), screen-wake-lock(self), sync-xhr(self), usb(self), web-share(self), xr-spatial-tracking(self)"
|