diff --git a/DOC/README.HTTP-security-headers b/DOC/README.HTTP-security-headers
index 8554cad..3df8a50 100644
--- a/DOC/README.HTTP-security-headers
+++ b/DOC/README.HTTP-security-headers
@@ -1,190 +1,189 @@
+# ==========
+# - HTTP security Headers
+# ==========
- # ==========
- # - HTTP security Headers
- # ==========
+# You can mitigate most of the common Cross Site Scripting attack using HttpOnly
+# and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
+# to steal or manipulate web application session and cookies and it’s dangerous.
+#
+#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
- # You can mitigate most of the common Cross Site Scripting attack using HttpOnly
- # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
- # to steal or manipulate web application session and cookies and it’s dangerous.
- #
- #Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
+# - X-Frame-Options
+# -
+# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
+# -
+# - X-Frame-Options tells the browser whether you want to
+# - allow your site to be framed or not. By preventing a
+# - browser from framing your site you can defend against
+# - attacks like clickjacking
+# -
+# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
+# - against clickjacking attacks. An attacker can load up an iframe on their
+# - site and set your site as the source, it's quite easy:
+# -
+# -
+# -
+# - Using some crafty CSS they can hide your site in the background and create some
+# - genuine looking overlays. When your visitors click on what they think is a harmless
+# - link, they're actually clicking on links on your website in the background. That
+# - might not seem so bad until we realise that the browser will execute those requests
+# - in the context of the user, which could include them being logged in and authenticated
+# - to your site!
+# -
+# - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front :
+# - of you':
+# -
+# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
+# -
+# - Valid values:
+# -
+# - DENY meaning your site can't be framed
+# -
+# - SAMEORIGIN which allows you to frame your own site
+# -
+# - ALLOW-FROM https://example.com/ which lets you specify
+# - sites that are permitted to frame your own site.
+# -
+# - Note:
+# - For Apache 2.2 use
+# - Header always set X-Frame-Options "SAMEORIGIN"
+# -
+#Header always append X-Frame-Options "SAMEORIGIN"
- # - X-Frame-Options
- # -
- # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
- # -
- # - X-Frame-Options tells the browser whether you want to
- # - allow your site to be framed or not. By preventing a
- # - browser from framing your site you can defend against
- # - attacks like clickjacking
- # -
- # - The X-Frame-Options header (RFC), or XFO header, protects your visitors
- # - against clickjacking attacks. An attacker can load up an iframe on their
- # - site and set your site as the source, it's quite easy:
- # -
- # -
- # -
- # - Using some crafty CSS they can hide your site in the background and create some
- # - genuine looking overlays. When your visitors click on what they think is a harmless
- # - link, they're actually clicking on links on your website in the background. That
- # - might not seem so bad until we realise that the browser will execute those requests
- # - in the context of the user, which could include them being logged in and authenticated
- # - to your site!
- # -
- # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front :
- # - of you':
- # -
- # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
- # -
- # - Valid values:
- # -
- # - DENY meaning your site can't be framed
- # -
- # - SAMEORIGIN which allows you to frame your own site
- # -
- # - ALLOW-FROM https://example.com/ which lets you specify
- # - sites that are permitted to frame your own site.
- # -
- # - Note:
- # - For Apache 2.2 use
- # - Header always set X-Frame-Options "SAMEORIGIN"
- # -
- #Header always append X-Frame-Options "SAMEORIGIN"
+# - X-Xss-Protection
+# -
+# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
+# -
+# - X-XSS-Protection sets the configuration for the cross-site
+# - scripting filters built into most browsers. The best
+# - configuration is "X-XSS-Protection: 1; mode=block".
+# -
+# - This header is used to configure the built in reflective XSS protection found
+# - in Internet Explorer, Chrome and Safari (Webkit).
+# -
+# - Valid settings for the header are:
+# -
+# - 0 which disables the protection,
+# -
+# - 1 which enables the protection
+# -
+# - 1; mode=block which tells the browser to block the response
+# - if it detects an attack rather than sanitising
+# - the script.
+# -
+#Header always set X-Xss-Protection "1; mode=block"
- # - X-Xss-Protection
- # -
- # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
- # -
- # - X-XSS-Protection sets the configuration for the cross-site
- # - scripting filters built into most browsers. The best
- # - configuration is "X-XSS-Protection: 1; mode=block".
- # -
- # - This header is used to configure the built in reflective XSS protection found
- # - in Internet Explorer, Chrome and Safari (Webkit).
- # -
- # - Valid settings for the header are:
- # -
- # - 0 which disables the protection,
- # -
- # - 1 which enables the protection
- # -
- # - 1; mode=block which tells the browser to block the response
- # - if it detects an attack rather than sanitising
- # - the script.
- # -
- #Header always set X-Xss-Protection "1; mode=block"
+# - X-Content-Type-Options
+# -
+# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
+# -
+# - X-Content-Type-Options stops a browser from trying to MIME-sniff
+# - the content type and forces it to stick with the declared
+# - content-type.
+# -
+# - Nice and easy to configure, this header only has one valid value, nosniff.
+# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
+# - the content-type of a response away from the one being declared by the server.
+# - It reduces exposure to drive-by downloads and the risks of user uploaded content
+# - that, with clever naming, could be treated as a different content-type, like
+# - an executable.
+# -
+# - The only valid value for this header is
+# -
+# - "X-Content-Type-Options: nosniff".
+# -
+#Header always set X-Content-Type-Options "nosniff"
- # - X-Content-Type-Options
- # -
- # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
- # -
- # - X-Content-Type-Options stops a browser from trying to MIME-sniff
- # - the content type and forces it to stick with the declared
- # - content-type.
- # -
- # - Nice and easy to configure, this header only has one valid value, nosniff.
- # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
- # - the content-type of a response away from the one being declared by the server.
- # - It reduces exposure to drive-by downloads and the risks of user uploaded content
- # - that, with clever naming, could be treated as a different content-type, like
- # - an executable.
- # -
- # - The only valid value for this header is
- # -
- # - "X-Content-Type-Options: nosniff".
- # -
- #Header always set X-Content-Type-Options "nosniff"
+# - Content Security Policy
+# -
+# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
+# - https://content-security-policy.com/
+# -
+# - Content Security Policy is an effective measure to protect your
+# - site from XSS attacks by whitelisting sources of approved content.
+# -
+# - The CSP header allows you to define a whitelist of approved sources of content
+# - for your site. By restricting the assets that a browser can load for your site,
+# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
+# - have covered CSP in a lot more detail in my blog Content Security Policy - An
+# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
+# -
+# - Examples: "default-src 'self';"
+# - would only allow assets to be loaded from the current origin
+# - (but not subdomains).
+# -
+# - "default-src https:"
+# - would allow any assets to be loaded over https from any origin.
+# -
+# - Allow Google Analytics, Google AJAX CDN and Same Origin
+# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
+# -
+# - Emmbedding Google Fonts
+# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+# -
+# - Allow YouTube Videos (iframe embedded) and Same Origin
+# - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
+# - worker-src 'self' www.youtube.com
+# -
+# - Allow OpenStreetMap
+# - script-src (self)
+# - style-src ('unsafe-inline')
+# - img-src (data:)
+# - font-src (data:)
+# - sandbox (allow-scripts allow-same-origin)
+# -
+#Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'"
- # - Content Security Policy
- # -
- # - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
- # - https://content-security-policy.com/
- # -
- # - Content Security Policy is an effective measure to protect your
- # - site from XSS attacks by whitelisting sources of approved content.
- # -
- # - The CSP header allows you to define a whitelist of approved sources of content
- # - for your site. By restricting the assets that a browser can load for your site,
- # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
- # - have covered CSP in a lot more detail in my blog Content Security Policy - An
- # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
- # -
- # - Examples: "default-src 'self';"
- # - would only allow assets to be loaded from the current origin
- # - (but not subdomains).
- # -
- # - "default-src https:"
- # - would allow any assets to be loaded over https from any origin.
- # -
- # - Allow Google Analytics, Google AJAX CDN and Same Origin
- # - script-src 'self' www.google-analytics.com ajax.googleapis.com;
- # -
- # - Emmbedding Google Fonts
- # - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
- # -
- # - Allow YouTube Videos (iframe embedded) and Same Origin
- # - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
- # - worker-src 'self' www.youtube.com
- # -
- # - Allow OpenStreetMap
- # - script-src (self)
- # - style-src ('unsafe-inline')
- # - img-src (data:)
- # - font-src (data:)
- # - sandbox (allow-scripts allow-same-origin)
- # -
- #Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'"
+# - A more secure configuration, including Google Analytics, Google AJAX CDN
+# - and Emmbedding Google Fonts
+# -
+#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
- # - A more secure configuration, including Google Analytics, Google AJAX CDN
- # - and Emmbedding Google Fonts
- # -
- #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+# - Same as above but also allow YouTube Videos
+# -
+#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
- # - Same as above but also allow YouTube Videos
- # -
- #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+# - Same as above but also allow YouTube Videos
+# -
+#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
- # - Same as above but also allow YouTube Videos
- # -
- #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+# - Referrer-Policy
+# -
+# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# - https://www.w3.org/TR/referrer-policy/
+# -
+# - Referrer Policy is a new header that allows a site to control how
+# - much information the browser includes with navigations away from
+# - a document and should be set by all sites.
+# -
+# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
+# - field that identifies the address of the webpage (i.e. the URI or IRI) that
+# - linked to the resource being requested. By checking the referrer, the new
+# - webpage can see where the request originated.
+# -
+# - For a complete list and explanation of values, see urls above
+# -
+# - Example: "no-referrer-when-downgrade"
+# - The browser will not send the referrer header when navigating
+# - from HTTPS to HTTP, but will always send the full URL in the
+# - referrer header when navigating from HTTP to any origin. It
+# - doesn't matter whether the source and destination are the same
+# - site or not, only the scheme.
+# -
+#Header set Referrer-Policy "strict-origin-when-cross-origin"
- # - Referrer-Policy
- # -
- # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
- # - https://www.w3.org/TR/referrer-policy/
- # -
- # - Referrer Policy is a new header that allows a site to control how
- # - much information the browser includes with navigations away from
- # - a document and should be set by all sites.
- # -
- # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
- # - field that identifies the address of the webpage (i.e. the URI or IRI) that
- # - linked to the resource being requested. By checking the referrer, the new
- # - webpage can see where the request originated.
- # -
- # - For a complete list and explanation of values, see urls above
- # -
- # - Example: "no-referrer-when-downgrade"
- # - The browser will not send the referrer header when navigating
- # - from HTTPS to HTTP, but will always send the full URL in the
- # - referrer header when navigating from HTTP to any origin. It
- # - doesn't matter whether the source and destination are the same
- # - site or not, only the scheme.
- # -
- #Header set Referrer-Policy "strict-origin-when-cross-origin"
-
- # - HTTP Strict Transport Security (HSTS)
- # -
- # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
- # -
- # - HTTP Strict Transport Security (HSTS) is an excellent feature
- # - to support on your site and strengthens your implementation of
- # - TLS by getting the User Agent to enforce the use of HTTPS.
- # -
- # - HSTS tells a browser that the website should only be accessed through
- # - a secure connection. The HSTS header will be remembered by a standard
- # - compliant browser for max-age seconds.
- # -
- # - Remember this settings for 1 year
- # -
- #Header always set Strict-Transport-Security "max-age=15768000"
+# - HTTP Strict Transport Security (HSTS)
+# -
+# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
+# -
+# - HTTP Strict Transport Security (HSTS) is an excellent feature
+# - to support on your site and strengthens your implementation of
+# - TLS by getting the User Agent to enforce the use of HTTPS.
+# -
+# - HSTS tells a browser that the website should only be accessed through
+# - a secure connection. The HSTS header will be remembered by a standard
+# - compliant browser for max-age seconds.
+# -
+# - Remember this settings for 1 year
+# -
+#Header always set Strict-Transport-Security "max-age=15768000"