# ========== # - HTTP security Headers # ========== # - X-Frame-Options # - # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options # - # - X-Frame-Options tells the browser whether you want to # - allow your site to be framed or not. By preventing a # - browser from framing your site you can defend against # - attacks like clickjacking. # - # - Valid values: # - # - DENY meaning your site can't be framed # - # - SAMEORIGIN which allows you to frame your own site # - # - ALLOW-FROM https://example.com/ which lets you specify # - sites that are permitted to frame your own site. # - Header always set X-Frame-Options "SAMEORIGIN" # - X-Xss-Protection # - # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection # - # - X-XSS-Protection sets the configuration for the cross-site # - scripting filters built into most browsers. The best # - configuration is "X-XSS-Protection: 1; mode=block". # - # - Valid settings for the header are: # - # - 0 which disables the protection, # - # - 1 which enables the protection # - # - 1; mode=block which tells the browser to block the response # - if it detects an attack rather than sanitising # - the script. # - Header always set X-XSS-Protection "1; mode=block" # - X-Content-Type-Options # - # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options # - # - X-Content-Type-Options stops a browser from trying to MIME-sniff # - the content type and forces it to stick with the declared # - content-type. # - # - The only valid value for this header is # - # - "X-Content-Type-Options: nosniff". # - Header always set X-Content-Type-Options "nosniff" # - Strict-Transport-Security # - # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ # - # - HTTP Strict Transport Security (HSTS) is an excellent feature # - to support on your site and strengthens your implementation of # - TLS by getting the User Agent to enforce the use of HTTPS. # - # - The HSTS header will be remembered by a standard compliant browser # - for max-age seconds. # - #Header add Strict-Transport-Security "max-age=15768000" Header always set Strict-Transport-Security "max-age=31536000" # - Content-Security-Policy (CSP) # - # - See: https://scotthelme.co.uk/content-security-policy-an-introduction/ # - # - # - Content Security Policy is an effective measure to protect your # - site from XSS attacks. By whitelisting sources of approved content, # - you can prevent the browser from loading malicious assets. Analyse # - this policy in more detail. # - # - Once you've created your policy, there's a really great feature you # - can take advantage of to test it. Instead of sending the header # - Content-Security-Policy:, you can send Content-Security-Policy-Report-Only:. # - This means the browser will receive and act upon the policy, but instead of # - enforcing it, it will give you feedback on what the effects of the policy # - would have been. # - # - For a complete list and explanation of values, see urls above # - # - Examples: "default-src 'self';" # - would only allow assets to be loaded from the current origin # - (but not subdomains). # - # - "default-src https:" # - would allow any assets to be loaded over https from any origin. # - Header set Content-Security-Policy "default-src 'https:';" # - Referrer-Policy # - # - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # - https://www.w3.org/TR/referrer-policy/ # - # - Referrer Policy is a new header that allows a site to control how # - much information the browser includes with navigations away from # - a document and should be set by all sites. # - # - For a complete list and explanation of values, see urls above # - # - Example: "no-referrer-when-downgrade" # - The browser will not send the referrer header when navigating # - from HTTPS to HTTP, but will always send the full URL in the # - referrer header when navigating from HTTP to any origin. It # - doesn't matter whether the source and destination are the same # - site or not, only the scheme. # - Header set Referrer-Policy "no-referrer-when-downgrade"