From 57e15ead76e6a7edc8dc1d5ac47d1750deb1f989 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 16 Jan 2019 02:34:52 +0100 Subject: [PATCH] Adjust Documentation for securits headers. --- DOC/README.HTTP-security-headers | 359 +++++++++++++++---------------- 1 file changed, 179 insertions(+), 180 deletions(-) diff --git a/DOC/README.HTTP-security-headers b/DOC/README.HTTP-security-headers index 8554cad..3df8a50 100644 --- a/DOC/README.HTTP-security-headers +++ b/DOC/README.HTTP-security-headers @@ -1,190 +1,189 @@ +# ========== +# - HTTP security Headers +# ========== - # ========== - # - HTTP security Headers - # ========== +# You can mitigate most of the common Cross Site Scripting attack using HttpOnly +# and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible +# to steal or manipulate web application session and cookies and it’s dangerous. +# +#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" - # You can mitigate most of the common Cross Site Scripting attack using HttpOnly - # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible - # to steal or manipulate web application session and cookies and it’s dangerous. - # - #Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" +# - X-Frame-Options +# - +# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options +# - +# - X-Frame-Options tells the browser whether you want to +# - allow your site to be framed or not. By preventing a +# - browser from framing your site you can defend against +# - attacks like clickjacking +# - +# - The X-Frame-Options header (RFC), or XFO header, protects your visitors +# - against clickjacking attacks. An attacker can load up an iframe on their +# - site and set your site as the source, it's quite easy: +# - +# - +# - +# - Using some crafty CSS they can hide your site in the background and create some +# - genuine looking overlays. When your visitors click on what they think is a harmless +# - link, they're actually clicking on links on your website in the background. That +# - might not seem so bad until we realise that the browser will execute those requests +# - in the context of the user, which could include them being logged in and authenticated +# - to your site! +# - +# - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : +# - of you': +# - +# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html +# - +# - Valid values: +# - +# - DENY meaning your site can't be framed +# - +# - SAMEORIGIN which allows you to frame your own site +# - +# - ALLOW-FROM https://example.com/ which lets you specify +# - sites that are permitted to frame your own site. +# - +# - Note: +# - For Apache 2.2 use +# - Header always set X-Frame-Options "SAMEORIGIN" +# - +#Header always append X-Frame-Options "SAMEORIGIN" - # - X-Frame-Options - # - - # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options - # - - # - X-Frame-Options tells the browser whether you want to - # - allow your site to be framed or not. By preventing a - # - browser from framing your site you can defend against - # - attacks like clickjacking - # - - # - The X-Frame-Options header (RFC), or XFO header, protects your visitors - # - against clickjacking attacks. An attacker can load up an iframe on their - # - site and set your site as the source, it's quite easy: - # - - # - - # - - # - Using some crafty CSS they can hide your site in the background and create some - # - genuine looking overlays. When your visitors click on what they think is a harmless - # - link, they're actually clicking on links on your website in the background. That - # - might not seem so bad until we realise that the browser will execute those requests - # - in the context of the user, which could include them being logged in and authenticated - # - to your site! - # - - # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : - # - of you': - # - - # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html - # - - # - Valid values: - # - - # - DENY meaning your site can't be framed - # - - # - SAMEORIGIN which allows you to frame your own site - # - - # - ALLOW-FROM https://example.com/ which lets you specify - # - sites that are permitted to frame your own site. - # - - # - Note: - # - For Apache 2.2 use - # - Header always set X-Frame-Options "SAMEORIGIN" - # - - #Header always append X-Frame-Options "SAMEORIGIN" +# - X-Xss-Protection +# - +# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection +# - +# - X-XSS-Protection sets the configuration for the cross-site +# - scripting filters built into most browsers. The best +# - configuration is "X-XSS-Protection: 1; mode=block". +# - +# - This header is used to configure the built in reflective XSS protection found +# - in Internet Explorer, Chrome and Safari (Webkit). +# - +# - Valid settings for the header are: +# - +# - 0 which disables the protection, +# - +# - 1 which enables the protection +# - +# - 1; mode=block which tells the browser to block the response +# - if it detects an attack rather than sanitising +# - the script. +# - +#Header always set X-Xss-Protection "1; mode=block" - # - X-Xss-Protection - # - - # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection - # - - # - X-XSS-Protection sets the configuration for the cross-site - # - scripting filters built into most browsers. The best - # - configuration is "X-XSS-Protection: 1; mode=block". - # - - # - This header is used to configure the built in reflective XSS protection found - # - in Internet Explorer, Chrome and Safari (Webkit). - # - - # - Valid settings for the header are: - # - - # - 0 which disables the protection, - # - - # - 1 which enables the protection - # - - # - 1; mode=block which tells the browser to block the response - # - if it detects an attack rather than sanitising - # - the script. - # - - #Header always set X-Xss-Protection "1; mode=block" +# - X-Content-Type-Options +# - +# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options +# - +# - X-Content-Type-Options stops a browser from trying to MIME-sniff +# - the content type and forces it to stick with the declared +# - content-type. +# - +# - Nice and easy to configure, this header only has one valid value, nosniff. +# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff +# - the content-type of a response away from the one being declared by the server. +# - It reduces exposure to drive-by downloads and the risks of user uploaded content +# - that, with clever naming, could be treated as a different content-type, like +# - an executable. +# - +# - The only valid value for this header is +# - +# - "X-Content-Type-Options: nosniff". +# - +#Header always set X-Content-Type-Options "nosniff" - # - X-Content-Type-Options - # - - # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options - # - - # - X-Content-Type-Options stops a browser from trying to MIME-sniff - # - the content type and forces it to stick with the declared - # - content-type. - # - - # - Nice and easy to configure, this header only has one valid value, nosniff. - # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff - # - the content-type of a response away from the one being declared by the server. - # - It reduces exposure to drive-by downloads and the risks of user uploaded content - # - that, with clever naming, could be treated as a different content-type, like - # - an executable. - # - - # - The only valid value for this header is - # - - # - "X-Content-Type-Options: nosniff". - # - - #Header always set X-Content-Type-Options "nosniff" +# - Content Security Policy +# - +# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/ +# - https://content-security-policy.com/ +# - +# - Content Security Policy is an effective measure to protect your +# - site from XSS attacks by whitelisting sources of approved content. +# - +# - The CSP header allows you to define a whitelist of approved sources of content +# - for your site. By restricting the assets that a browser can load for your site, +# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I +# - have covered CSP in a lot more detail in my blog Content Security Policy - An +# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). +# - +# - Examples: "default-src 'self';" +# - would only allow assets to be loaded from the current origin +# - (but not subdomains). +# - +# - "default-src https:" +# - would allow any assets to be loaded over https from any origin. +# - +# - Allow Google Analytics, Google AJAX CDN and Same Origin +# - script-src 'self' www.google-analytics.com ajax.googleapis.com; +# - +# - Emmbedding Google Fonts +# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; +# - +# - Allow YouTube Videos (iframe embedded) and Same Origin +# - frame-src 'self' https://www.youtube.com (frame-src is deprecated) +# - worker-src 'self' www.youtube.com +# - +# - Allow OpenStreetMap +# - script-src (self) +# - style-src ('unsafe-inline') +# - img-src (data:) +# - font-src (data:) +# - sandbox (allow-scripts allow-same-origin) +# - +#Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'" - # - Content Security Policy - # - - # - See: https://scotthelme.co.uk/content-security-policy-an-introduction/ - # - https://content-security-policy.com/ - # - - # - Content Security Policy is an effective measure to protect your - # - site from XSS attacks by whitelisting sources of approved content. - # - - # - The CSP header allows you to define a whitelist of approved sources of content - # - for your site. By restricting the assets that a browser can load for your site, - # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I - # - have covered CSP in a lot more detail in my blog Content Security Policy - An - # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). - # - - # - Examples: "default-src 'self';" - # - would only allow assets to be loaded from the current origin - # - (but not subdomains). - # - - # - "default-src https:" - # - would allow any assets to be loaded over https from any origin. - # - - # - Allow Google Analytics, Google AJAX CDN and Same Origin - # - script-src 'self' www.google-analytics.com ajax.googleapis.com; - # - - # - Emmbedding Google Fonts - # - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; - # - - # - Allow YouTube Videos (iframe embedded) and Same Origin - # - frame-src 'self' https://www.youtube.com (frame-src is deprecated) - # - worker-src 'self' www.youtube.com - # - - # - Allow OpenStreetMap - # - script-src (self) - # - style-src ('unsafe-inline') - # - img-src (data:) - # - font-src (data:) - # - sandbox (allow-scripts allow-same-origin) - # - - #Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'" +# - A more secure configuration, including Google Analytics, Google AJAX CDN +# - and Emmbedding Google Fonts +# - +#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" - # - A more secure configuration, including Google Analytics, Google AJAX CDN - # - and Emmbedding Google Fonts - # - - #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" +# - Same as above but also allow YouTube Videos +# - +#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" - # - Same as above but also allow YouTube Videos - # - - #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" +# - Same as above but also allow YouTube Videos +# - +#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" - # - Same as above but also allow YouTube Videos - # - - #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" +# - Referrer-Policy +# - +# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ +# - https://www.w3.org/TR/referrer-policy/ +# - +# - Referrer Policy is a new header that allows a site to control how +# - much information the browser includes with navigations away from +# - a document and should be set by all sites. +# - +# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header +# - field that identifies the address of the webpage (i.e. the URI or IRI) that +# - linked to the resource being requested. By checking the referrer, the new +# - webpage can see where the request originated. +# - +# - For a complete list and explanation of values, see urls above +# - +# - Example: "no-referrer-when-downgrade" +# - The browser will not send the referrer header when navigating +# - from HTTPS to HTTP, but will always send the full URL in the +# - referrer header when navigating from HTTP to any origin. It +# - doesn't matter whether the source and destination are the same +# - site or not, only the scheme. +# - +#Header set Referrer-Policy "strict-origin-when-cross-origin" - # - Referrer-Policy - # - - # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ - # - https://www.w3.org/TR/referrer-policy/ - # - - # - Referrer Policy is a new header that allows a site to control how - # - much information the browser includes with navigations away from - # - a document and should be set by all sites. - # - - # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header - # - field that identifies the address of the webpage (i.e. the URI or IRI) that - # - linked to the resource being requested. By checking the referrer, the new - # - webpage can see where the request originated. - # - - # - For a complete list and explanation of values, see urls above - # - - # - Example: "no-referrer-when-downgrade" - # - The browser will not send the referrer header when navigating - # - from HTTPS to HTTP, but will always send the full URL in the - # - referrer header when navigating from HTTP to any origin. It - # - doesn't matter whether the source and destination are the same - # - site or not, only the scheme. - # - - #Header set Referrer-Policy "strict-origin-when-cross-origin" - - # - HTTP Strict Transport Security (HSTS) - # - - # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ - # - - # - HTTP Strict Transport Security (HSTS) is an excellent feature - # - to support on your site and strengthens your implementation of - # - TLS by getting the User Agent to enforce the use of HTTPS. - # - - # - HSTS tells a browser that the website should only be accessed through - # - a secure connection. The HSTS header will be remembered by a standard - # - compliant browser for max-age seconds. - # - - # - Remember this settings for 1 year - # - - #Header always set Strict-Transport-Security "max-age=15768000" +# - HTTP Strict Transport Security (HSTS) +# - +# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ +# - +# - HTTP Strict Transport Security (HSTS) is an excellent feature +# - to support on your site and strengthens your implementation of +# - TLS by getting the User Agent to enforce the use of HTTPS. +# - +# - HSTS tells a browser that the website should only be accessed through +# - a secure connection. The HSTS header will be remembered by a standard +# - compliant browser for max-age seconds. +# - +# - Remember this settings for 1 year +# - +#Header always set Strict-Transport-Security "max-age=15768000"