diff --git a/DOC/README.HTTP-security-headers b/DOC/README.HTTP-security-headers new file mode 100644 index 0000000..5334e6b --- /dev/null +++ b/DOC/README.HTTP-security-headers @@ -0,0 +1,190 @@ + + # ========== + # - HTTP security Headers + # ========== + + # You can mitigate most of the common Cross Site Scripting attack using HttpOnly + # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible + # to steal or manipulate web application session and cookies and it’s dangerous. + # + #Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" + + # - X-Frame-Options + # - + # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options + # - + # - X-Frame-Options tells the browser whether you want to + # - allow your site to be framed or not. By preventing a + # - browser from framing your site you can defend against + # - attacks like clickjacking + # - + # - The X-Frame-Options header (RFC), or XFO header, protects your visitors + # - against clickjacking attacks. An attacker can load up an iframe on their + # - site and set your site as the source, it's quite easy: + # - + # - + # - + # - Using some crafty CSS they can hide your site in the background and create some + # - genuine looking overlays. When your visitors click on what they think is a harmless + # - link, they're actually clicking on links on your website in the background. That + # - might not seem so bad until we realise that the browser will execute those requests + # - in the context of the user, which could include them being logged in and authenticated + # - to your site! + # - + # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : + # - of you': + # - + # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html + # - + # - Valid values: + # - + # - DENY meaning your site can't be framed + # - + # - SAMEORIGIN which allows you to frame your own site + # - + # - ALLOW-FROM https://example.com/ which lets you specify + # - sites that are permitted to frame your own site. + # - + # - Note: + # - For Apache 2.2 use + # - Header always set X-Frame-Options "SAMEORIGIN" + # - + #Header always append X-Frame-Options "SAMEORIGIN" + + # - X-Xss-Protection + # - + # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection + # - + # - X-XSS-Protection sets the configuration for the cross-site + # - scripting filters built into most browsers. The best + # - configuration is "X-XSS-Protection: 1; mode=block". + # - + # - This header is used to configure the built in reflective XSS protection found + # - in Internet Explorer, Chrome and Safari (Webkit). + # - + # - Valid settings for the header are: + # - + # - 0 which disables the protection, + # - + # - 1 which enables the protection + # - + # - 1; mode=block which tells the browser to block the response + # - if it detects an attack rather than sanitising + # - the script. + # - + #Header always set X-Xss-Protection "1; mode=block" + + # - X-Content-Type-Options + # - + # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options + # - + # - X-Content-Type-Options stops a browser from trying to MIME-sniff + # - the content type and forces it to stick with the declared + # - content-type. + # - + # - Nice and easy to configure, this header only has one valid value, nosniff. + # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff + # - the content-type of a response away from the one being declared by the server. + # - It reduces exposure to drive-by downloads and the risks of user uploaded content + # - that, with clever naming, could be treated as a different content-type, like + # - an executable. + # - + # - The only valid value for this header is + # - + # - "X-Content-Type-Options: nosniff". + # - + #Header always set X-Content-Type-Options "nosniff" + + # - Content Security Policy + # - + # - See: https://scotthelme.co.uk/content-security-policy-an-introduction/ + # - https://content-security-policy.com/ + # - + # - Content Security Policy is an effective measure to protect your + # - site from XSS attacks by whitelisting sources of approved content. + # - + # - The CSP header allows you to define a whitelist of approved sources of content + # - for your site. By restricting the assets that a browser can load for your site, + # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I + # - have covered CSP in a lot more detail in my blog Content Security Policy - An + # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). + # - + # - Examples: "default-src 'self';" + # - would only allow assets to be loaded from the current origin + # - (but not subdomains). + # - + # - "default-src https:" + # - would allow any assets to be loaded over https from any origin. + # - + # - Allow Google Analytics, Google AJAX CDN and Same Origin + # - script-src 'self' www.google-analytics.com ajax.googleapis.com; + # - + # - Emmbedding Google Fonts + # - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; + # - + # - Allow YouTube Videos (iframe embedded) and Same Origin + # - frame-src 'self' https://www.youtube.com (frame-src is deprecated) + # - worker-src 'self' www.youtube.com + # - + # - Allow OpenStreetMap + # - script-src (self) + # - style-src ('unsafe-inline') + # - img-src (data:) + # - font-src (data:) + # - sandbox (allow-scripts allow-same-origin) + # - + #Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'" + + # - A more secure configuration, including Google Analytics, Google AJAX CDN + # - and Emmbedding Google Fonts + # - + #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" + + # - Same as above but also allow YouTube Videos + # - + #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" + + # - Same as above but also allow YouTube Videos + # - + #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" + + # - Referrer-Policy + # - + # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + # - https://www.w3.org/TR/referrer-policy/ + # - + # - Referrer Policy is a new header that allows a site to control how + # - much information the browser includes with navigations away from + # - a document and should be set by all sites. + # - + # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header + # - field that identifies the address of the webpage (i.e. the URI or IRI) that + # - linked to the resource being requested. By checking the referrer, the new + # - webpage can see where the request originated. + # - + # - For a complete list and explanation of values, see urls above + # - + # - Example: "no-referrer-when-downgrade" + # - The browser will not send the referrer header when navigating + # - from HTTPS to HTTP, but will always send the full URL in the + # - referrer header when navigating from HTTP to any origin. It + # - doesn't matter whether the source and destination are the same + # - site or not, only the scheme. + # - + #Header set Referrer-Policy "strict-origin-when-cross-origin" + + # - HTTP Strict Transport Security (HSTS) + # - + # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ + # - + # - HTTP Strict Transport Security (HSTS) is an excellent feature + # - to support on your site and strengthens your implementation of + # - TLS by getting the User Agent to enforce the use of HTTPS. + # - + # - HSTS tells a browser that the website should only be accessed through + # - a secure connection. The HSTS header will be remembered by a standard + # - compliant browser for max-age seconds. + # - + # - Remember this settings for 1 year + # - + #Header always set Strict-Transport-Security "max-age=15768000" diff --git a/DOC/README.HTTP_security_headers b/DOC/README.HTTP_security_headers index fd11dce..731360f 100644 --- a/DOC/README.HTTP_security_headers +++ b/DOC/README.HTTP_security_headers @@ -41,7 +41,7 @@ Header always set X-Frame-Options "SAMEORIGIN" # - if it detects an attack rather than sanitising # - the script. # - -Header always set X-Content-Type-Options "nosniff" +Header always set X-XSS-Protection "1; mode=block" # - X-Content-Type-Options