install/apache2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adjust Documentation for securits headers.

Browse Source
This commit is contained in:
Christoph
2019-01-16 02:34:52 +01:00
parent 0c06217da3
commit 57e15ead76
1 changed files with 179 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

359
DOC/README.HTTP-security-headers
View File

@@ -1,190 +1,189 @@
# ==========
# - HTTP security Headers
# ==========
# ========== # You can mitigate most of the common Cross Site Scripting attack using HttpOnly
# - HTTP security Headers # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
# ========== # to steal or manipulate web application session and cookies and its dangerous.
#
#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
# You can mitigate most of the common Cross Site Scripting attack using HttpOnly # - X-Frame-Options
# and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible # -
# to steal or manipulate web application session and cookies and its dangerous. # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# # -
#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" # - X-Frame-Options tells the browser whether you want to
# - allow your site to be framed or not. By preventing a
# - browser from framing your site you can defend against
# - attacks like clickjacking
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
# - of you':
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values:
# -
# - DENY meaning your site can't be framed
# -
# - SAMEORIGIN which allows you to frame your own site
# -
# - ALLOW-FROM https://example.com/ which lets you specify
# - sites that are permitted to frame your own site.
# -
# - Note:
# - For Apache 2.2 use
# - Header always set X-Frame-Options "SAMEORIGIN"
# -
#Header always append X-Frame-Options "SAMEORIGIN"
# - X-Frame-Options # - X-Xss-Protection
# - # -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
# - # -
# - X-Frame-Options tells the browser whether you want to # - X-XSS-Protection sets the configuration for the cross-site
# - allow your site to be framed or not. By preventing a # - scripting filters built into most browsers. The best
# - browser from framing your site you can defend against # - configuration is "X-XSS-Protection: 1; mode=block".
# - attacks like clickjacking # -
# - # - This header is used to configure the built in reflective XSS protection found
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors # - in Internet Explorer, Chrome and Safari (Webkit).
# - against clickjacking attacks. An attacker can load up an iframe on their # -
# - site and set your site as the source, it's quite easy: # - Valid settings for the header are:
# - # -
# - <iframe src="https://scotthelme.co.uk"></iframe> # - 0 which disables the protection,
# - # -
# - Using some crafty CSS they can hide your site in the background and create some # - 1 which enables the protection
# - genuine looking overlays. When your visitors click on what they think is a harmless # -
# - link, they're actually clicking on links on your website in the background. That # - 1; mode=block which tells the browser to block the response
# - might not seem so bad until we realise that the browser will execute those requests # - if it detects an attack rather than sanitising
# - in the context of the user, which could include them being logged in and authenticated # - the script.
# - to your site! # -
# - #Header always set X-Xss-Protection "1; mode=block"
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
# - of you':
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values:
# -
# - DENY meaning your site can't be framed
# -
# - SAMEORIGIN which allows you to frame your own site
# -
# - ALLOW-FROM https://example.com/ which lets you specify
# - sites that are permitted to frame your own site.
# -
# - Note:
# - For Apache 2.2 use
# - Header always set X-Frame-Options "SAMEORIGIN"
# -
#Header always append X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection # - X-Content-Type-Options
# - # -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
# - # -
# - X-XSS-Protection sets the configuration for the cross-site # - X-Content-Type-Options stops a browser from trying to MIME-sniff
# - scripting filters built into most browsers. The best # - the content type and forces it to stick with the declared
# - configuration is "X-XSS-Protection: 1; mode=block". # - content-type.
# - # -
# - This header is used to configure the built in reflective XSS protection found # - Nice and easy to configure, this header only has one valid value, nosniff.
# - in Internet Explorer, Chrome and Safari (Webkit). # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - # - the content-type of a response away from the one being declared by the server.
# - Valid settings for the header are: # - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - # - that, with clever naming, could be treated as a different content-type, like
# - 0 which disables the protection, # - an executable.
# - # -
# - 1 which enables the protection # - The only valid value for this header is
# - # -
# - 1; mode=block which tells the browser to block the response # - "X-Content-Type-Options: nosniff".
# - if it detects an attack rather than sanitising # -
# - the script. #Header always set X-Content-Type-Options "nosniff"
# -
#Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options # - Content Security Policy
# - # -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options # - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
# - # - https://content-security-policy.com/
# - X-Content-Type-Options stops a browser from trying to MIME-sniff # -
# - the content type and forces it to stick with the declared # - Content Security Policy is an effective measure to protect your
# - content-type. # - site from XSS attacks by whitelisting sources of approved content.
# - # -
# - Nice and easy to configure, this header only has one valid value, nosniff. # - The CSP header allows you to define a whitelist of approved sources of content
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff # - for your site. By restricting the assets that a browser can load for your site,
# - the content-type of a response away from the one being declared by the server. # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - It reduces exposure to drive-by downloads and the risks of user uploaded content # - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - that, with clever naming, could be treated as a different content-type, like # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# - an executable. # -
# - # - Examples: "default-src 'self';"
# - The only valid value for this header is # - would only allow assets to be loaded from the current origin
# - # - (but not subdomains).
# - "X-Content-Type-Options: nosniff". # -
# - # - "default-src https:"
#Header always set X-Content-Type-Options "nosniff" # - would allow any assets to be loaded over https from any origin.
# -
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
# -
# - Emmbedding Google Fonts
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded) and Same Origin
# - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
# - worker-src 'self' www.youtube.com
# -
# - Allow OpenStreetMap
# - script-src (self)
# - style-src ('unsafe-inline')
# - img-src (data:)
# - font-src (data:)
# - sandbox (allow-scripts allow-same-origin)
# -
#Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'"
# - Content Security Policy # - A more secure configuration, including Google Analytics, Google AJAX CDN
# - # - and Emmbedding Google Fonts
# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/ # -
# - https://content-security-policy.com/ #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# -
# - Content Security Policy is an effective measure to protect your
# - site from XSS attacks by whitelisting sources of approved content.
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Examples: "default-src 'self';"
# - would only allow assets to be loaded from the current origin
# - (but not subdomains).
# -
# - "default-src https:"
# - would allow any assets to be loaded over https from any origin.
# -
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
# -
# - Emmbedding Google Fonts
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded) and Same Origin
# - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
# - worker-src 'self' www.youtube.com
# -
# - Allow OpenStreetMap
# - script-src (self)
# - style-src ('unsafe-inline')
# - img-src (data:)
# - font-src (data:)
# - sandbox (allow-scripts allow-same-origin)
# -
#Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'"
# - A more secure configuration, including Google Analytics, Google AJAX CDN # - Same as above but also allow YouTube Videos
# - and Emmbedding Google Fonts # -
# - #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Same as above but also allow YouTube Videos # - Same as above but also allow YouTube Videos
# - # -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Same as above but also allow YouTube Videos # - Referrer-Policy
# - # -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# - https://www.w3.org/TR/referrer-policy/
# -
# - Referrer Policy is a new header that allows a site to control how
# - much information the browser includes with navigations away from
# - a document and should be set by all sites.
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
# - For a complete list and explanation of values, see urls above
# -
# - Example: "no-referrer-when-downgrade"
# - The browser will not send the referrer header when navigating
# - from HTTPS to HTTP, but will always send the full URL in the
# - referrer header when navigating from HTTP to any origin. It
# - doesn't matter whether the source and destination are the same
# - site or not, only the scheme.
# -
#Header set Referrer-Policy "strict-origin-when-cross-origin"
# - Referrer-Policy # - HTTP Strict Transport Security (HSTS)
# - # -
# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
# - https://www.w3.org/TR/referrer-policy/ # -
# - # - HTTP Strict Transport Security (HSTS) is an excellent feature
# - Referrer Policy is a new header that allows a site to control how # - to support on your site and strengthens your implementation of
# - much information the browser includes with navigations away from # - TLS by getting the User Agent to enforce the use of HTTPS.
# - a document and should be set by all sites. # -
# - # - HSTS tells a browser that the website should only be accessed through
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header # - a secure connection. The HSTS header will be remembered by a standard
# - field that identifies the address of the webpage (i.e. the URI or IRI) that # - compliant browser for max-age seconds.
# - linked to the resource being requested. By checking the referrer, the new # -
# - webpage can see where the request originated. # - Remember this settings for 1 year
# - # -
# - For a complete list and explanation of values, see urls above #Header always set Strict-Transport-Security "max-age=15768000"
# -
# - Example: "no-referrer-when-downgrade"
# - The browser will not send the referrer header when navigating
# - from HTTPS to HTTP, but will always send the full URL in the
# - referrer header when navigating from HTTP to any origin. It
# - doesn't matter whether the source and destination are the same
# - site or not, only the scheme.
# -
#Header set Referrer-Policy "strict-origin-when-cross-origin"
# - HTTP Strict Transport Security (HSTS)
# -
# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
# -
# - HTTP Strict Transport Security (HSTS) is an excellent feature
# - to support on your site and strengthens your implementation of
# - TLS by getting the User Agent to enforce the use of HTTPS.
# -
# - HSTS tells a browser that the website should only be accessed through
# - a secure connection. The HSTS header will be remembered by a standard
# - compliant browser for max-age seconds.
# -
# - Remember this settings for 1 year
# -
#Header always set Strict-Transport-Security "max-age=15768000"