- #
- # Disable access to the entire file system except for the directories that
- # are explicitly allowed later.
- #
- # This currently breaks the configurations that come with some web application
- # Debian packages.
- #
- #<Directory />
- # AllowOverride None
- # Require all denied
- #</Directory>
- # Changing the following options will not really affect the security of the
- # server, but might make attacks slightly more difficult in some cases.
- #
- # ServerTokens
- # This directive configures what you return as the Server HTTP response
- # Header. The default is 'Full' which sends information about the OS-Type
- # and compiled in modules.
- # Set to one of: Full | OS | Minimal | Minor | Major | Prod
- # where Full conveys the most information, and Prod the least.
- #ServerTokens Minimal
- ServerTokens Prod
- #ServerTokens Full
- #
- # Optionally add a line containing the server version and virtual host
- # name to server-generated pages (internal error documents, FTP directory
- # listings, mod_status and mod_info output etc., but not CGI generated
- # documents or custom error documents).
- # Set to "EMail" to also include a mailto: link to the ServerAdmin.
- # Set to one of: On | Off | EMail
- #ServerSignature Off
- ServerSignature On
- #
- # Allow TRACE method
- #
- # Set to "extended" to also reflect the request body (only for testing and
- # diagnostic purposes).
- #
- # Set to one of: On | Off | extended
- TraceEnable Off
- #TraceEnable On
- #
- # Forbid access to version control directories
- #
- # If you use version control systems in your document root, you should
- # probably deny access to their directories. For example, for subversion:
- #
- #<DirectoryMatch "/\.svn">
- # Require all denied
- #</DirectoryMatch>
- #
- # Setting this header will prevent MSIE from interpreting files as something
- # else than declared by the content type in the HTTP headers.
- # Requires mod_headers to be enabled.
- #
- Header always set X-Content-Type-Options: "nosniff"
- #
- # Setting this header will prevent other sites from embedding pages from this
- # site as frames. This defends against clickjacking attacks.
- # Requires mod_headers to be enabled.
- #
- Header always set X-Frame-Options: "sameorigin"
- # Enable reflective XSS protection and block response when detecting an attack
- Header always set X-Xss-Protection "1; mode=block"
- # Allow images, scripts, AJAX, form actions, and CSS from the same origin,
- # and disallow any other resources to load (eg object, frame, media, etc).
- # More info: <https://content-security-policy.com/>
- Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
- # Forbid use of browser features
- # More info: <https://www.w3.org/TR/permissions-policy-1/>
- # <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
- Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
- # Do not send the referrer header when navigating from HTTPS to HTTP,
- # but always send the full URL when navigating from HTTP to any origin.
- # More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
- Header always set Referrer-Policy "no-referrer-when-downgrade"
- # enable Strict Transport Security
- Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload" "expr=%{HTTPS} == 'on'"
- # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
