script/apache2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adjust 'HTTP Security Header' documentaion.

Browse Source
This commit is contained in:
Christoph 2018-04-23 14:48:28 +02:00
parent c3a13d935e
commit bd5e5872b3
1 changed files with 91 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
README.HTTP-security-headers
View File

@ -10,6 +10,13 @@
#Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
# - X-Frame-Options
# -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# -
# - X-Frame-Options tells the browser whether you want to
# - allow your site to be framed or not. By preventing a
# - browser from framing your site you can defend against
# - attacks like clickjacking
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
@ -29,9 +36,14 @@
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# - sites that are permitted to frame your own site.
# - Valid values:
# -
# - DENY meaning your site can't be framed
# -
# - SAMEORIGIN which allows you to frame your own site
# -
# - ALLOW-FROM https://example.com/ which lets you specify
# - sites that are permitted to frame your own site.
# -
# - Note:
# - For Apache 2.2 use
@ -40,16 +52,35 @@
#Header always append X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
# -
# - X-XSS-Protection sets the configuration for the cross-site
# - scripting filters built into most browsers. The best
# - configuration is "X-XSS-Protection: 1; mode=block".
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - detects an attack rather than sanitising the script.
# - in Internet Explorer, Chrome and Safari (Webkit).
# -
# - Valid settings for the header are:
# -
# - 0 which disables the protection,
# -
# - 1 which enables the protection
# -
# - 1; mode=block which tells the browser to block the response
# - if it detects an attack rather than sanitising
# - the script.
# -
#Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
# -
# - X-Content-Type-Options stops a browser from trying to MIME-sniff
# - the content type and forces it to stick with the declared
# - content-type.
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
@ -57,10 +88,20 @@
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
# - The only valid value for this header is
# -
# - "X-Content-Type-Options: nosniff".
# -
#Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
# - https://content-security-policy.com/
# -
# - Content Security Policy is an effective measure to protect your
# - site from XSS attacks by whitelisting sources of approved content.
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
@ -68,8 +109,12 @@
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# - Examples: "default-src 'self';"
# - would only allow assets to be loaded from the current origin
# - (but not subdomains).
# -
# - "default-src https:"
# - would allow any assets to be loaded over https from any origin.
# -
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
@ -78,8 +123,15 @@
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded) and Same Origin
# - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
# - worker-src 'self' www.youtube.com
# - frame-src 'self' https://www.youtube.com (frame-src is deprecated)
# - worker-src 'self' www.youtube.com
# -
# - Allow OpenStreetMap
# - script-src (self)
# - style-src ('unsafe-inline')
# - img-src (data:)
# - font-src (data:)
# - sandbox (allow-scripts allow-same-origin)
# -
#Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'"
@ -90,22 +142,48 @@
# - Same as above but also allow YouTube Videos
# -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self'' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Same as above but also allow YouTube Videos
# -
#Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
# - Referrer-Policy
# -
# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# - https://www.w3.org/TR/referrer-policy/
# -
# - Referrer Policy is a new header that allows a site to control how
# - much information the browser includes with navigations away from
# - a document and should be set by all sites.
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
# - For a complete list and explanation of values, see urls above
# -
# - Example: "no-referrer-when-downgrade"
# - The browser will not send the referrer header when navigating
# - from HTTPS to HTTP, but will always send the full URL in the
# - referrer header when navigating from HTTP to any origin. It
# - doesn't matter whether the source and destination are the same
# - site or not, only the scheme.
# -
#Header set Referrer-Policy "strict-origin-when-cross-origin"
# - HTTP Strict Transport Security (HSTS)
# -
# - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
# -
# - HTTP Strict Transport Security (HSTS) is an excellent feature
# - to support on your site and strengthens your implementation of
# - TLS by getting the User Agent to enforce the use of HTTPS.
# -
# - HSTS tells a browser that the website should only be accessed through
# - a secure connection. The HSTS header will be remembered by a standard
# compliant browser for max-age seconds.
# - compliant browser for max-age seconds.
# -
# - Remember this settings for 1 year
# -