summaryrefslogtreecommitdiff
path: root/apache2/conf-available/security.conf.diff
blob: de9221a0be5813f0bbd694321cc99bcba54e76f4 (plain) 
    

  1. --- security.conf.orig
    2. 

  2. +++ security.conf
    3. 

  3. @@ -22,7 +22,7 @@
    4. 

  4.  # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
    5. 

  5.  # where Full conveys the most information, and Prod the least.
    6. 

  6.  #ServerTokens Minimal
    7. 

  7. -ServerTokens OS
    8. 

  8. +ServerTokens Prod
    9. 

  9.  #ServerTokens Full
    10. 

  10.  
    11. 

  11.  #
    12. 

  12. @@ -60,14 +60,34 @@
    13. 

  13.  # else than declared by the content type in the HTTP headers.
    14. 

  14.  # Requires mod_headers to be enabled.
    15. 

  15.  #
    16. 

  16. -#Header set X-Content-Type-Options: "nosniff"
    17. 

  17. +Header always set X-Content-Type-Options: "nosniff"
    18. 

  18.  
    19. 

  19.  #
    20. 

  20.  # Setting this header will prevent other sites from embedding pages from this
    21. 

  21.  # site as frames. This defends against clickjacking attacks.
    22. 

  22.  # Requires mod_headers to be enabled.
    23. 

  23.  #
    24. 

  24. -#Header set X-Frame-Options: "sameorigin"
    25. 

  25. +Header always set X-Frame-Options: "sameorigin"
    26. 

  26.  
    27. 

  27. +# Enable reflective XSS protection and block response when detecting an attack
    28. 

  28. +Header always set X-Xss-Protection "1; mode=block"
    29. 

  29. +
    30. 

  30. +# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
    31. 

  31. +# and disallow any other resources to load (eg object, frame, media, etc).
    32. 

  32. +# More info: <https://content-security-policy.com/>
    33. 

  33. +Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
    34. 

  34. +
    35. 

  35. +# Forbid use of browser features
    36. 

  36. +# More info: <https://www.w3.org/TR/permissions-policy-1/>
    37. 

  37. +# <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
    38. 

  38. +Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(),  layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
    39. 

  39. +
    40. 

  40. +# Do not send the referrer header when navigating from HTTPS to HTTP,
    41. 

  41. +# but always send the full URL when navigating from HTTP to any origin.
    42. 

  42. +# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
    43. 

  43. +Header always set Referrer-Policy "no-referrer-when-downgrade"
    44. 

  44. +
    45. 

  45. +# enable Strict Transport Security
    46. 

  46. +Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload" "expr=%{HTTPS} != 'off'"
    47. 

  47.  
    48. 

  48.  # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    49.
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-14 12:48:42 +0000