Add Readme's for HTTP security headers. Add list of HTTP return codes.
This commit is contained in:
123
DOC/README.HTTP_security_headers
Normal file
123
DOC/README.HTTP_security_headers
Normal file
@ -0,0 +1,123 @@
|
||||
# ==========
|
||||
# - HTTP security Headers
|
||||
# ==========
|
||||
|
||||
# - X-Frame-Options
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
|
||||
# -
|
||||
# - X-Frame-Options tells the browser whether you want to
|
||||
# - allow your site to be framed or not. By preventing a
|
||||
# - browser from framing your site you can defend against
|
||||
# - attacks like clickjacking.
|
||||
# -
|
||||
# - Valid values:
|
||||
# -
|
||||
# - DENY meaning your site can't be framed
|
||||
# -
|
||||
# - SAMEORIGIN which allows you to frame your own site
|
||||
# -
|
||||
# - ALLOW-FROM https://example.com/ which lets you specify
|
||||
# - sites that are permitted to frame your own site.
|
||||
# -
|
||||
Header always set X-Frame-Options "SAMEORIGIN"
|
||||
|
||||
|
||||
# - X-Xss-Protection
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
|
||||
# -
|
||||
# - X-XSS-Protection sets the configuration for the cross-site
|
||||
# - scripting filters built into most browsers. The best
|
||||
# - configuration is "X-XSS-Protection: 1; mode=block".
|
||||
# -
|
||||
# - Valid settings for the header are:
|
||||
# -
|
||||
# - 0 which disables the protection,
|
||||
# -
|
||||
# - 1 which enables the protection
|
||||
# -
|
||||
# - 1; mode=block which tells the browser to block the response
|
||||
# - if it detects an attack rather than sanitising
|
||||
# - the script.
|
||||
# -
|
||||
Header always set X-Content-Type-Options "nosniff"
|
||||
|
||||
|
||||
# - X-Content-Type-Options
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
|
||||
# -
|
||||
# - X-Content-Type-Options stops a browser from trying to MIME-sniff
|
||||
# - the content type and forces it to stick with the declared
|
||||
# - content-type.
|
||||
# -
|
||||
# - The only valid value for this header is
|
||||
# -
|
||||
# - "X-Content-Type-Options: nosniff".
|
||||
# -
|
||||
Header always set X-Content-Type-Options "nosniff"
|
||||
|
||||
# - Strict-Transport-Security
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
|
||||
# -
|
||||
# - HTTP Strict Transport Security (HSTS) is an excellent feature
|
||||
# - to support on your site and strengthens your implementation of
|
||||
# - TLS by getting the User Agent to enforce the use of HTTPS.
|
||||
# -
|
||||
# - The HSTS header will be remembered by a standard compliant browser
|
||||
# - for max-age seconds.
|
||||
# -
|
||||
#Header add Strict-Transport-Security "max-age=15768000"
|
||||
Header always set Strict-Transport-Security "max-age=31536000"
|
||||
|
||||
|
||||
# - Content-Security-Policy (CSP)
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
|
||||
# -
|
||||
# -
|
||||
# - Content Security Policy is an effective measure to protect your
|
||||
# - site from XSS attacks. By whitelisting sources of approved content,
|
||||
# - you can prevent the browser from loading malicious assets. Analyse
|
||||
# - this policy in more detail.
|
||||
# -
|
||||
# - Once you've created your policy, there's a really great feature you
|
||||
# - can take advantage of to test it. Instead of sending the header
|
||||
# - Content-Security-Policy:, you can send Content-Security-Policy-Report-Only:.
|
||||
# - This means the browser will receive and act upon the policy, but instead of
|
||||
# - enforcing it, it will give you feedback on what the effects of the policy
|
||||
# - would have been.
|
||||
# -
|
||||
# - For a complete list and explanation of values, see urls above
|
||||
# -
|
||||
# - Examples: "default-src 'self';"
|
||||
# - would only allow assets to be loaded from the current origin
|
||||
# - (but not subdomains).
|
||||
# -
|
||||
# - "default-src https:"
|
||||
# - would allow any assets to be loaded over https from any origin.
|
||||
# -
|
||||
Header set Content-Security-Policy "default-src 'https:';"
|
||||
|
||||
|
||||
# - Referrer-Policy
|
||||
# -
|
||||
# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
|
||||
# - https://www.w3.org/TR/referrer-policy/
|
||||
# -
|
||||
# - Referrer Policy is a new header that allows a site to control how
|
||||
# - much information the browser includes with navigations away from
|
||||
# - a document and should be set by all sites.
|
||||
# -
|
||||
# - For a complete list and explanation of values, see urls above
|
||||
# -
|
||||
# - Example: "no-referrer-when-downgrade"
|
||||
# - The browser will not send the referrer header when navigating
|
||||
# - from HTTPS to HTTP, but will always send the full URL in the
|
||||
# - referrer header when navigating from HTTP to any origin. It
|
||||
# - doesn't matter whether the source and destination are the same
|
||||
# - site or not, only the scheme.
|
||||
# -
|
||||
Header set Referrer-Policy "no-referrer-when-downgrade"
|
||||
42
DOC/README.HTTP_status_codes
Normal file
42
DOC/README.HTTP_status_codes
Normal file
@ -0,0 +1,42 @@
|
||||
HTTP - Return Codes
|
||||
===================
|
||||
|
||||
|
||||
100 continue weitere Daten senden
|
||||
101 switching protocols <09>bertragungsprotokoll ge<67>ndert
|
||||
200 ok <09>bertragung ok
|
||||
201 created Neue Datenquelle wurde erstellt
|
||||
202 accepted Anfrage akzeptiert, aber noch nicht beantwortet
|
||||
203 non-authoritative information Zwischengeschaltetes Programm kann Information ver<65>ndert haben
|
||||
204 no content es wurde nichts (neues) geliefert
|
||||
205 reset content Inhalt soll zur<75>ckgesetzt werden
|
||||
206 partial content Es wurde (nur) ein Teil des Inhaltes zur<75>ckgeliefert
|
||||
300 multiple choice Es stehen mehrere Datenquellen zur Auswahl
|
||||
301 moved permanently Dokument wurde dauerhaft verschoben ( neues Ziel wird in der Meldung angegeben )
|
||||
302 moved temporarily Dokument wurde kurzzeitig verschoben ( neues Ziel wird in der Meldung angegeben )
|
||||
303 see other / method Falscher Adressat f<>r Anforderung ( neues Ziel wird in der Meldung angegeben )
|
||||
304 not modified Dokument wurde seit der letzten Anforderung nicht ver<65>ndert
|
||||
305 use proxy Anfrage kann besser vom proxy beantwortet werden ( Adresse in der Meldung )
|
||||
306 unused aktuell unbenutzt ( aber noch reserviert )
|
||||
307 movedtemporarily Dokument wurde kurzzeitig verschoben ( neues Ziel wird in der Meldung angegeben )
|
||||
400 bad request Anfrage ist fehlerhaft
|
||||
401 unauthorized keine Berechtigung
|
||||
402 payment required nur gegen Bezahlung geht's weiter ( noch nicht eingesetzt )
|
||||
403 forbidden Art des Zugriffs ist verboten
|
||||
404 not found Dokument wurde nicht gefunden
|
||||
405 method not allowed MIME-Typ passt nicht zum Dokument
|
||||
406 not acceptable Anfrage wurde nicht akzeptiert
|
||||
407 proxy authentication required keine Berechtigung durch proxy
|
||||
408 timeout Anwort dauerte zu lange
|
||||
410 gone Dokument wurde gel<65>scht
|
||||
411 length required L<>nge des Dokuments muss angegeben werden
|
||||
413 too large Anforderung ist zu lang
|
||||
414 URI to large die angegebene Zieladresse ist zu lang
|
||||
415 unsupported media type angegebener Dokumententyp wird nicht unterst<73>tzt
|
||||
500 internal server error interner Fehler auf dem Server ( hard- oder software )
|
||||
501 not implemented f<>r diese Abfrage ist der Server nicht programmiert
|
||||
502 bad gateway proxy oder gateway hat einen Fehler in den Daten erkannt
|
||||
503 service unavailable Server ist <20>berlastet
|
||||
504 gateway timeout proxy oder gateway erh<72>lt keine Antwort vom Server
|
||||
505 version not supported das verwendete HTTP-Protokoll wird nicht unterst<73>tzt
|
||||
|
||||
Reference in New Issue
Block a user