124 lines
4.3 KiB
Plaintext
124 lines
4.3 KiB
Plaintext
# ==========
|
|
# - HTTP security Headers
|
|
# ==========
|
|
|
|
# - X-Frame-Options
|
|
# -
|
|
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
|
|
# -
|
|
# - X-Frame-Options tells the browser whether you want to
|
|
# - allow your site to be framed or not. By preventing a
|
|
# - browser from framing your site you can defend against
|
|
# - attacks like clickjacking.
|
|
# -
|
|
# - Valid values:
|
|
# -
|
|
# - DENY meaning your site can't be framed
|
|
# -
|
|
# - SAMEORIGIN which allows you to frame your own site
|
|
# -
|
|
# - ALLOW-FROM https://example.com/ which lets you specify
|
|
# - sites that are permitted to frame your own site.
|
|
# -
|
|
Header always set X-Frame-Options "SAMEORIGIN"
|
|
|
|
|
|
# - X-Xss-Protection
|
|
# -
|
|
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
|
|
# -
|
|
# - X-XSS-Protection sets the configuration for the cross-site
|
|
# - scripting filters built into most browsers. The best
|
|
# - configuration is "X-XSS-Protection: 1; mode=block".
|
|
# -
|
|
# - Valid settings for the header are:
|
|
# -
|
|
# - 0 which disables the protection,
|
|
# -
|
|
# - 1 which enables the protection
|
|
# -
|
|
# - 1; mode=block which tells the browser to block the response
|
|
# - if it detects an attack rather than sanitising
|
|
# - the script.
|
|
# -
|
|
Header always set X-Content-Type-Options "nosniff"
|
|
|
|
|
|
# - X-Content-Type-Options
|
|
# -
|
|
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
|
|
# -
|
|
# - X-Content-Type-Options stops a browser from trying to MIME-sniff
|
|
# - the content type and forces it to stick with the declared
|
|
# - content-type.
|
|
# -
|
|
# - The only valid value for this header is
|
|
# -
|
|
# - "X-Content-Type-Options: nosniff".
|
|
# -
|
|
Header always set X-Content-Type-Options "nosniff"
|
|
|
|
# - Strict-Transport-Security
|
|
# -
|
|
# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
|
|
# -
|
|
# - HTTP Strict Transport Security (HSTS) is an excellent feature
|
|
# - to support on your site and strengthens your implementation of
|
|
# - TLS by getting the User Agent to enforce the use of HTTPS.
|
|
# -
|
|
# - The HSTS header will be remembered by a standard compliant browser
|
|
# - for max-age seconds.
|
|
# -
|
|
#Header add Strict-Transport-Security "max-age=15768000"
|
|
Header always set Strict-Transport-Security "max-age=31536000"
|
|
|
|
|
|
# - Content-Security-Policy (CSP)
|
|
# -
|
|
# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
|
|
# -
|
|
# -
|
|
# - Content Security Policy is an effective measure to protect your
|
|
# - site from XSS attacks. By whitelisting sources of approved content,
|
|
# - you can prevent the browser from loading malicious assets. Analyse
|
|
# - this policy in more detail.
|
|
# -
|
|
# - Once you've created your policy, there's a really great feature you
|
|
# - can take advantage of to test it. Instead of sending the header
|
|
# - Content-Security-Policy:, you can send Content-Security-Policy-Report-Only:.
|
|
# - This means the browser will receive and act upon the policy, but instead of
|
|
# - enforcing it, it will give you feedback on what the effects of the policy
|
|
# - would have been.
|
|
# -
|
|
# - For a complete list and explanation of values, see urls above
|
|
# -
|
|
# - Examples: "default-src 'self';"
|
|
# - would only allow assets to be loaded from the current origin
|
|
# - (but not subdomains).
|
|
# -
|
|
# - "default-src https:"
|
|
# - would allow any assets to be loaded over https from any origin.
|
|
# -
|
|
Header set Content-Security-Policy "default-src 'https:';"
|
|
|
|
|
|
# - Referrer-Policy
|
|
# -
|
|
# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
|
|
# - https://www.w3.org/TR/referrer-policy/
|
|
# -
|
|
# - Referrer Policy is a new header that allows a site to control how
|
|
# - much information the browser includes with navigations away from
|
|
# - a document and should be set by all sites.
|
|
# -
|
|
# - For a complete list and explanation of values, see urls above
|
|
# -
|
|
# - Example: "no-referrer-when-downgrade"
|
|
# - The browser will not send the referrer header when navigating
|
|
# - from HTTPS to HTTP, but will always send the full URL in the
|
|
# - referrer header when navigating from HTTP to any origin. It
|
|
# - doesn't matter whether the source and destination are the same
|
|
# - site or not, only the scheme.
|
|
# -
|
|
Header set Referrer-Policy "no-referrer-when-downgrade"
|