From bd5e5872b372972d411d909abef1189cf40c671c Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 23 Apr 2018 14:48:28 +0200
Subject: [PATCH] Adjust 'HTTP Security Header' documentaion.

---
 README.HTTP-security-headers | 104 ++++++++++++++++++++++++++++++-----
 1 file changed, 91 insertions(+), 13 deletions(-)

diff --git a/README.HTTP-security-headers b/README.HTTP-security-headers
index 4f58a30..5334e6b 100644
--- a/README.HTTP-security-headers
+++ b/README.HTTP-security-headers
@@ -10,6 +10,13 @@
    #Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
 
    # - X-Frame-Options
+   # - 
+   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
+   # - 
+   # - X-Frame-Options tells the browser whether you want to 
+   # - allow your site to be framed or not. By preventing a 
+   # - browser from framing your site you can defend against 
+   # - attacks like clickjacking
    # -
    # - The X-Frame-Options header (RFC), or XFO header, protects your visitors 
    # - against clickjacking attacks. An attacker can load up an iframe on their 
@@ -29,9 +36,14 @@
    # -
    # -    http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
    # -
-   # - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows 
-   # - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify 
-   # - sites that are permitted to frame your own site.
+   # - Valid values:
+   # -
+   # -    DENY meaning your site can't be framed
+   # -
+   # -    SAMEORIGIN which allows you to frame your own site
+   # -
+   # -    ALLOW-FROM https://example.com/ which lets you specify 
+   # -               sites that are permitted to frame your own site.
    # -
    # - Note:
    # - For Apache 2.2 use
@@ -40,16 +52,35 @@
    #Header always append X-Frame-Options "SAMEORIGIN"
 
    # -  X-Xss-Protection
+   # - 
+   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
+   # - 
+   # - X-XSS-Protection sets the configuration for the cross-site
+   # - scripting filters built into most browsers. The best 
+   # - configuration is "X-XSS-Protection: 1; mode=block".
    # -
    # - This header is used to configure the built in reflective XSS protection found 
-   # - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header 
-   # - are 0, which disables the protection, 1 which enables the protection 
-   # - and 1; mode=block which tells the browser to block the response if it 
-   # - detects an attack rather than sanitising the script.
+   # - in Internet Explorer, Chrome and Safari (Webkit). 
+   # -
+   # - Valid settings for the header are:
+   # -
+   # -    0 which disables the protection, 
+   # -
+   # -    1 which enables the protection 
+   # -
+   # -    1; mode=block which tells the browser to block the response 
+   # -                  if it detects an attack rather than sanitising 
+   # -                  the script.
    # -
    #Header always set X-Xss-Protection "1; mode=block"
 
    # - X-Content-Type-Options
+	# - 
+	# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
+	# - 
+	# - X-Content-Type-Options stops a browser from trying to MIME-sniff
+	# - the content type and forces it to stick with the declared 
+	# - content-type.
    # -
    # - Nice and easy to configure, this header only has one valid value, nosniff. 
    # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff 
@@ -57,10 +88,20 @@
    # - It reduces exposure to drive-by downloads and the risks of user uploaded content 
    # - that, with clever naming, could be treated as a different content-type, like 
    # - an executable.
+	# -
+	# - The only valid value for this header is 
+	# -
+	# -    "X-Content-Type-Options: nosniff".
    # -
    #Header always set X-Content-Type-Options "nosniff"
 
    # - Content Security Policy
+	# - 
+	# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
+   # -      https://content-security-policy.com/
+   # -
+	# - Content Security Policy is an effective measure to protect your 
+	# - site from XSS attacks by whitelisting sources of approved content.
    # -
    # - The CSP header allows you to define a whitelist of approved sources of content 
    # - for your site. By restricting the assets that a browser can load for your site, 
@@ -68,8 +109,12 @@
    # - have covered CSP in a lot more detail in my blog Content Security Policy - An 
    # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). 
    # -
-   # - Here is a basic policy to enforce TLS on all assets and prevent 
-   # - mixed content warnings.
+	# - Examples: "default-src 'self';"
+	# -           would only allow assets to be loaded from the current origin
+	# -           (but not subdomains).
+	# -
+	# -           "default-src https:"
+	# -           would allow any assets to be loaded over https from any origin.
 	# -
    # - Allow Google Analytics, Google AJAX CDN and Same Origin
    # -    script-src 'self' www.google-analytics.com ajax.googleapis.com;
@@ -78,8 +123,15 @@
    # -    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; 
    # -
    # - Allow YouTube Videos (iframe embedded) and Same Origin
-   # -     frame-src 'self' https://www.youtube.com (frame-src is deprecated)
-   # -     worker-src 'self' www.youtube.com
+   # -    frame-src 'self' https://www.youtube.com (frame-src is deprecated)
+   # -    worker-src 'self' www.youtube.com
+   # - 
+   # - Allow OpenStreetMap
+   # -    script-src (self)
+   # -    style-src ('unsafe-inline')
+   # -    img-src (data:)
+   # -    font-src (data:)
+   # -    sandbox (allow-scripts allow-same-origin)
    # -
    #Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self';  object-src 'none'"
 
@@ -90,22 +142,48 @@
 
    # - Same as above but also allow YouTube Videos
    # -
-   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self'' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+
+   # - Same as above but also allow YouTube Videos
+   # -
+   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
 
    # - Referrer-Policy
+	# - 
+	# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+	# -      https://www.w3.org/TR/referrer-policy/
    # -
+	# - Referrer Policy is a new header that allows a site to control how 
+	# - much information the browser includes with navigations away from 
+	# - a document and should be set by all sites.
+	# -
    # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header 
    # - field that identifies the address of the webpage (i.e. the URI or IRI) that 
    # - linked to the resource being requested. By checking the referrer, the new 
    # - webpage can see where the request originated.
    # -
+	# - For a complete list and explanation of values, see urls above
+	# -
+	# - Example: "no-referrer-when-downgrade"
+	# -          The browser will not send the referrer header when navigating 
+	# -          from HTTPS to HTTP, but will always send the full URL in the 
+	# -          referrer header when navigating from HTTP to any origin. It 
+	# -          doesn't matter whether the source and destination are the same 
+	# -          site or not, only the scheme.
+	# - 
    #Header set  Referrer-Policy "strict-origin-when-cross-origin"
 
    # - HTTP Strict Transport Security (HSTS)
+   # - 
+   # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
+   # - 
+   # - HTTP Strict Transport Security (HSTS) is an excellent feature
+   # - to support on your site and strengthens your implementation of 
+   # - TLS by getting the User Agent to enforce the use of HTTPS.
    # -
    # - HSTS tells a browser that the website should only be accessed through
    # - a secure connection. The HSTS header will be remembered by a standard
-   # compliant browser for max-age seconds.
+   # - compliant browser for max-age seconds.
    # -
    # - Remember this settings for 1 year
    # -