# ========== # - HTTP security Headers # ========== # You can mitigate most of the common Cross Site Scripting attack using HttpOnly # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible # to steal or manipulate web application session and cookies and it’s dangerous. # #Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" # - X-Frame-Options # - # - The X-Frame-Options header (RFC), or XFO header, protects your visitors # - against clickjacking attacks. An attacker can load up an iframe on their # - site and set your site as the source, it's quite easy: # - # - # - # - Using some crafty CSS they can hide your site in the background and create some # - genuine looking overlays. When your visitors click on what they think is a harmless # - link, they're actually clicking on links on your website in the background. That # - might not seem so bad until we realise that the browser will execute those requests # - in the context of the user, which could include them being logged in and authenticated # - to your site! # - # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : # - of you': # - # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html # - # - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows # - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify # - sites that are permitted to frame your own site. # - # - Note: # - For Apache 2.2 use # - Header always set X-Frame-Options "SAMEORIGIN" # - #Header always append X-Frame-Options "SAMEORIGIN" # - X-Xss-Protection # - # - This header is used to configure the built in reflective XSS protection found # - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header # - are 0, which disables the protection, 1 which enables the protection # - and 1; mode=block which tells the browser to block the response if it # - detects an attack rather than sanitising the script. # - #Header always set X-Xss-Protection "1; mode=block" # - X-Content-Type-Options # - # - Nice and easy to configure, this header only has one valid value, nosniff. # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff # - the content-type of a response away from the one being declared by the server. # - It reduces exposure to drive-by downloads and the risks of user uploaded content # - that, with clever naming, could be treated as a different content-type, like # - an executable. # - #Header always set X-Content-Type-Options "nosniff" # - Content Security Policy # - # - The CSP header allows you to define a whitelist of approved sources of content # - for your site. By restricting the assets that a browser can load for your site, # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I # - have covered CSP in a lot more detail in my blog Content Security Policy - An # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). # - # - Here is a basic policy to enforce TLS on all assets and prevent # - mixed content warnings. # - # - Allow Google Analytics, Google AJAX CDN and Same Origin # - script-src 'self' www.google-analytics.com ajax.googleapis.com; # - # - Emmbedding Google Fonts # - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; # - # - Allow YouTube Videos (iframe embedded) and Same Origin # - frame-src 'self' https://www.youtube.com (frame-src is deprecated) # - worker-src 'self' www.youtube.com # - #Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'" # - A more secure configuration, including Google Analytics, Google AJAX CDN # - and Emmbedding Google Fonts # - #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" # - Same as above but also allow YouTube Videos # - #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self'' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" # - Referrer-Policy # - # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header # - field that identifies the address of the webpage (i.e. the URI or IRI) that # - linked to the resource being requested. By checking the referrer, the new # - webpage can see where the request originated. # - #Header set Referrer-Policy "strict-origin-when-cross-origin" # - HTTP Strict Transport Security (HSTS) # - # - HSTS tells a browser that the website should only be accessed through # - a secure connection. The HSTS header will be remembered by a standard # compliant browser for max-age seconds. # - # - Remember this settings for 1 year # - #Header always set Strict-Transport-Security "max-age=15768000"