From 6d423afeb3375d1ba5625a2fca2a8d3bf26a4579 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 2 Nov 2020 23:45:50 +0100
Subject: [PATCH] install_httpd-2.4.sh: add HTTP security Headers to
 000-default.conf.

---
 install_httpd-2.4.sh | 93 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)

diff --git a/install_httpd-2.4.sh b/install_httpd-2.4.sh
index 17c981d..9831660 100755
--- a/install_httpd-2.4.sh
+++ b/install_httpd-2.4.sh
@@ -3910,6 +3910,99 @@ $_vhost_default_443
 
    DocumentRoot "$GLOBAL_DOC_ROOT"
 
+   # ==========
+   # - HTTP security Headers
+   # ==========
+
+   # - X-Frame-Options
+   # -
+   # - The X-Frame-Options header (RFC), or XFO header, protects your visitors 
+   # - against clickjacking attacks. An attacker can load up an iframe on their 
+   # - site and set your site as the source, it's quite easy: 
+   # -
+   # -    <iframe src="https://scotthelme.co.uk"></iframe>
+   # -
+   # - Using some crafty CSS they can hide your site in the background and create some 
+   # - genuine looking overlays. When your visitors click on what they think is a harmless 
+   # - link, they're actually clicking on links on your website in the background. That 
+   # - might not seem so bad until we realise that the browser will execute those requests 
+   # - in the context of the user, which could include them being logged in and authenticated 
+   # - to your site!
+   # -
+   # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front :
+   # - of you':
+   # -
+   # -    http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
+   # -
+   # - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows 
+   # - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify 
+   # -sites that are permitted to frame your own site.
+   # -
+   Header always set X-Frame-Options "SAMEORIGIN"
+
+   # -  X-Xss-Protection
+   # -
+   # - This header is used to configure the built in reflective XSS protection found 
+   # - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header 
+   # - are 0, which disables the protection, 1 which enables the protection 
+   # - and 1; mode=block which tells the browser to block the response if it 
+   # - detects an attack rather than sanitising the script.
+   # -
+   Header always set X-Xss-Protection "1; mode=block"
+
+   # - X-Content-Type-Options
+   # -
+   # - Nice and easy to configure, this header only has one valid value, nosniff. 
+   # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff 
+   # - the content-type of a response away from the one being declared by the server. 
+   # - It reduces exposure to drive-by downloads and the risks of user uploaded content 
+   # - that, with clever naming, could be treated as a different content-type, like 
+   # - an executable.
+   # -
+   Header always set X-Content-Type-Options "nosniff"
+
+   # - Content Security Policy
+   # -
+   # - The CSP header allows you to define a whitelist of approved sources of content 
+   # - for your site. By restricting the assets that a browser can load for your site, 
+   # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I 
+   # - have covered CSP in a lot more detail in my blog Content Security Policy - An 
+   # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). 
+   # -
+   # - Here is a basic policy to enforce TLS on all assets and prevent 
+   # - mixed content warnings.
+   # -
+   # - Allow Google Analytics, Google AJAX CDN and Same Origin
+   # -    script-src 'self' www.google-analytics.com ajax.googleapis.com;
+   # -
+   # - Emmbedding Google Fonts
+   # -    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; 
+   # -
+   # - Allow YouTube Videos (iframe embedded)
+   # -     frame-src 'self' https://www.youtube.com
+   # -
+   #Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' ; object-src 'none'"
+   Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ; img-src 'self' data: https: ; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self' ; frame-src 'self'; worker-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+
+   # - Referrer-Policy
+   # -
+   # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header 
+   # - field that identifies the address of the webpage (i.e. the URI or IRI) that 
+   # - linked to the resource being requested. By checking the referrer, the new 
+   # - webpage can see where the request originated.
+   # -
+   Header set  Referrer-Policy "strict-origin-when-cross-origin"
+
+   # - HTTP Strict Transport Security (HSTS)
+   # -
+   # - HSTS tells a browser that the website should only be accessed through
+   # - a secure connection. The HSTS header will be remembered by a standard
+   # compliant browser for max-age seconds.
+   # -
+   # - Remember this settings for 1 year
+   # -
+   Header always set Strict-Transport-Security "max-age=31536000"
+
    SSLEngine on
 
    ## - don't support weak ciphers