install/apache2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7de111487f
apache2/DOC/README.HTTP-security-headers

225 lines
10 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ==========
# - HTTP security Headers
# ==========
# ----------
# - You can test yout HTTP Header setting here:
# - https://securityheaders.com/
# ----------
# - X-Frame-Options
# -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# -
# - X-Frame-Options tells the browser whether you want to
# - allow your site to be framed or not. By preventing a
# - browser from framing your site you can defend against
# - attacks like clickjacking
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
# - of you':
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values:
# -
# - DENY meaning your site can't be framed
# -
# - SAMEORIGIN which allows you to frame your own site
# -
# - ALLOW-FROM https://example.com/ which lets you specify
# - sites that are permitted to frame your own site.
# -
# - Note:
# - For Apache 2.2 use
# - Header always set X-Frame-Options "SAMEORIGIN"
# -
#Header always append X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
# -
# - X-XSS-Protection sets the configuration for the cross-site
# - scripting filters built into most browsers. The best
# - configuration is "X-XSS-Protection: 1; mode=block".
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit).
# -
# - Valid settings for the header are:
# -
# - 0 which disables the protection,
# -
# - 1 which enables the protection
# -
# - 1; mode=block which tells the browser to block the response
# - if it detects an attack rather than sanitising
# - the script.
# -
#Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
# -
# - X-Content-Type-Options stops a browser from trying to MIME-sniff
# - the content type and forces it to stick with the declared
# - content-type.
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
# - The only valid value for this header is
# -
# - "X-Content-Type-Options: nosniff".
# -
#Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
# - https://content-security-policy.com/
# -
# - Content Security Policy is an effective measure to protect your
# - site from XSS attacks by whitelisting sources of approved content.
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Examples: "default-src 'self';"
# - would only allow assets to be loaded from the current origin
# - (but not subdomains).
# -
# - "default-src https:"
# - would allow any assets to be loaded over https from any origin.
# -
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
# -
# - Emmbedding Google Fonts
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded) and Same Origin
# - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
# - worker-src 'self' www.youtube.com
# -
# - Allow OpenStreetMap
# - script-src (self)
# - style-src ('unsafe-inline')
# - img-src (data:)
# - font-src (data:)
# - sandbox (allow-scripts allow-same-origin)
# -
#Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'"
# - A more secure configuration, including Google Analytics, Google AJAX CDN
# - and Emmbedding Google Fonts
# -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Same as above but also allow YouTube Videos
# -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Same as above but also allow YouTube Videos
# -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Referrer-Policy
# -
# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# - https://www.w3.org/TR/referrer-policy/
# -
# - Referrer Policy is a new header that allows a site to control how
# - much information the browser includes with navigations away from
# - a document and should be set by all sites.
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
# - For a complete list and explanation of values, see urls above
# -
# - Example: "no-referrer-when-downgrade"
# - The browser will not send the referrer header when navigating
# - from HTTPS to HTTP, but will always send the full URL in the
# - referrer header when navigating from HTTP to any origin. It
# - doesn't matter whether the source and destination are the same
# - site or not, only the scheme.
# -
#Header set Referrer-Policy "strict-origin-when-cross-origin"
# - Permissions-Policy
# -
# - see also:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
# -
# - Browser bieten einige Features und APIs, auf die wir Entwickler zugreifen können.
# - Das beinhaltet etwa Kamera und Mikrofon des Endgeräts. Mit einer Permissions Policy
# - können wir diese Funktionen für unsere Seite aktivieren, deaktivieren oder auf eine
# - Quelle begrenzen. Wenn ihr ein Feature abschaltet, können auch keine Dritten darauf
# - zugreifen, etwa per eingebettetem <iframe>. Ihr könnt jedes Feature über eine eigene
# - Direktive individuell einrichten.
# -
# - This specification defines a mechanism that allows developers to selectively enable
# - and disable use of various browser features and APIs.
# -
#Header always set Permissions-Policy: "usb=()"
# - Set-Cookie
# -
# - The Set-Cookie HTTP response header is used to send a cookie from the server to the
# - user agent, so that the user agent can send it back to the server later. To send
# - multiple cookies, multiple Set-Cookie headers should be sent in the same response.
# -
# - You can mitigate most of the common Cross Site Scripting attack using HttpOnly
# - and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
# - to steal or manipulate web application session and cookies and its dangerous.
# -
# - Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
# -
# -
# - best possible cookie:
# - Header set Set-Cookie: "__Host-sess=a92fe1; path=/; Secure; HttpOnly; SameSite=Strict"
#
#Header set Set-Cookie: "sess=joh3Ao4e; path=/; HttpOnly"
# - HTTP Strict Transport Security (HSTS)
# -
# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
# -
# - HTTP Strict Transport Security (HSTS) is an excellent feature
# - to support on your site and strengthens your implementation of
# - TLS by getting the User Agent to enforce the use of HTTPS.
# -
# - HSTS tells a browser that the website should only be accessed through
# - a secure connection. The HSTS header will be remembered by a standard
# - compliant browser for max-age seconds.
# -
# - Remember this settings for 1 year
# -
#Header always set Strict-Transport-Security "max-age=15768000"
Reference in New Issue View Git Blame Copy Permalink