Add Header 'Permissions-Policy'. Add comments to 'Set-Cookie' Header.
This commit is contained in:
parent
d00b062265
commit
7de111487f
@ -2,11 +2,11 @@
|
||||
# - HTTP security Headers
|
||||
# ==========
|
||||
|
||||
# You can mitigate most of the common Cross Site Scripting attack using HttpOnly
|
||||
# and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
|
||||
# to steal or manipulate web application session and cookies and it’s dangerous.
|
||||
#
|
||||
#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
|
||||
# ----------
|
||||
# - You can test yout HTTP Header setting here:
|
||||
# - https://securityheaders.com/
|
||||
# ----------
|
||||
|
||||
|
||||
# - X-Frame-Options
|
||||
# -
|
||||
@ -172,6 +172,41 @@
|
||||
# -
|
||||
#Header set Referrer-Policy "strict-origin-when-cross-origin"
|
||||
|
||||
# - Permissions-Policy
|
||||
# -
|
||||
# - see also:
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
|
||||
# -
|
||||
# - Browser bieten einige Features und APIs, auf die wir Entwickler zugreifen können.
|
||||
# - Das beinhaltet etwa Kamera und Mikrofon des Endgeräts. Mit einer Permissions Policy
|
||||
# - können wir diese Funktionen für unsere Seite aktivieren, deaktivieren oder auf eine
|
||||
# - Quelle begrenzen. Wenn ihr ein Feature abschaltet, können auch keine Dritten darauf
|
||||
# - zugreifen, etwa per eingebettetem <iframe>. Ihr könnt jedes Feature über eine eigene
|
||||
# - Direktive individuell einrichten.
|
||||
# -
|
||||
# - This specification defines a mechanism that allows developers to selectively enable
|
||||
# - and disable use of various browser features and APIs.
|
||||
# -
|
||||
#Header always set Permissions-Policy: "usb=()"
|
||||
|
||||
# - Set-Cookie
|
||||
# -
|
||||
# - The Set-Cookie HTTP response header is used to send a cookie from the server to the
|
||||
# - user agent, so that the user agent can send it back to the server later. To send
|
||||
# - multiple cookies, multiple Set-Cookie headers should be sent in the same response.
|
||||
# -
|
||||
# - You can mitigate most of the common Cross Site Scripting attack using HttpOnly
|
||||
# - and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
|
||||
# - to steal or manipulate web application session and cookies and it’s dangerous.
|
||||
# -
|
||||
# - Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
|
||||
# -
|
||||
# -
|
||||
# - best possible cookie:
|
||||
# - Header set Set-Cookie: "__Host-sess=a92fe1; path=/; Secure; HttpOnly; SameSite=Strict"
|
||||
#
|
||||
#Header set Set-Cookie: "sess=joh3Ao4e; path=/; HttpOnly"
|
||||
|
||||
# - HTTP Strict Transport Security (HSTS)
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
|
||||
|
||||
Loading…
Reference in New Issue
Block a user