From 7de111487ff5e58d88184b4b351d223b79e99638 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Wed, 14 Dec 2022 13:38:03 +0100
Subject: [PATCH] Add Header 'Permissions-Policy'. Add comments to 'Set-Cookie'
 Header.

---
 DOC/README.HTTP-security-headers | 45 ++++++++++++++++++++++++++++----
 1 file changed, 40 insertions(+), 5 deletions(-)

diff --git a/DOC/README.HTTP-security-headers b/DOC/README.HTTP-security-headers
index 3df8a50..1266bdf 100644
--- a/DOC/README.HTTP-security-headers
+++ b/DOC/README.HTTP-security-headers
@@ -2,11 +2,11 @@
 # - HTTP security Headers
 # ==========
 
-# You can mitigate most of the common Cross Site Scripting attack using HttpOnly 
-# and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible 
-# to steal or manipulate web application session and cookies and it’s dangerous.
-#
-#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
+# ----------
+# - You can test yout HTTP Header setting here:
+# -    https://securityheaders.com/
+# ----------
+
 
 # - X-Frame-Options
 # - 
@@ -172,6 +172,41 @@
 # - 
 #Header set  Referrer-Policy "strict-origin-when-cross-origin"
 
+# - Permissions-Policy
+# -
+# - see also:
+# -   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+# - 
+# - Browser bieten einige Features und APIs, auf die wir Entwickler zugreifen können. 
+# - Das beinhaltet etwa Kamera und Mikrofon des Endgeräts. Mit einer Permissions Policy 
+# - können wir diese Funktionen für unsere Seite aktivieren, deaktivieren oder auf eine 
+# - Quelle begrenzen. Wenn ihr ein Feature abschaltet, können auch keine Dritten darauf 
+# - zugreifen, etwa per eingebettetem <iframe>. Ihr könnt jedes Feature über eine eigene 
+# - Direktive individuell einrichten. 
+# -
+# - This specification defines a mechanism that allows developers to selectively enable 
+# - and disable use of various browser features and APIs.
+# -
+#Header always set Permissions-Policy: "usb=()"
+
+# - Set-Cookie
+# -
+# - The Set-Cookie HTTP response header is used to send a cookie from the server to the 
+# - user agent, so that the user agent can send it back to the server later. To send 
+# - multiple cookies, multiple Set-Cookie headers should be sent in the same response. 
+# -
+# - You can mitigate most of the common Cross Site Scripting attack using HttpOnly 
+# - and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible 
+# - to steal or manipulate web application session and cookies and it’s dangerous.
+# -
+# -    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
+# -
+# -
+# - best possible cookie:
+# -    Header set Set-Cookie: "__Host-sess=a92fe1; path=/; Secure; HttpOnly; SameSite=Strict"
+#
+#Header set Set-Cookie: "sess=joh3Ao4e; path=/; HttpOnly"
+
 # - HTTP Strict Transport Security (HSTS)
 # - 
 # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/