apache2

Go to file

christoph 485d47158d create_vhost.sh: allow multiple ipv6/ipv4 addresses.		2022-03-04 00:11:28 +01:00
conf	get_sites_with_external_nameservers.sh: add support for 'omitted site names'.	2021-02-14 12:06:52 +01:00
OLD	Rename create_vhost_php.sh to create_vhost.sh. Add support for vhost configuration for redirecting sites.	2017-11-23 19:58:35 +01:00
.gitignore	handle_domain_on_webserver.sh: first version ready for usage.	2017-08-13 18:37:34 +02:00
add_custom_log_to_vhost.sh	Initial import	2017-02-21 02:20:36 +01:00
add_https_to_vhosts.sh	Initial import	2017-02-21 02:20:36 +01:00
apache_memory_usage.sh	Initial import	2017-02-21 02:20:36 +01:00
archive_logfiles.sh	Add script 'archive_logfiles.sh'.	2017-07-03 15:29:17 +02:00
check_domain_on_webserver.sh	Add script 'handle_domain_on_webserver.sh' with symlinks 'check_domain_on_webserver.sh' and 'show_domain_on_webserver.sh'.	2017-07-05 02:38:59 +02:00
convert_vhosts_2.4.sh	Initial import	2017-02-21 02:20:36 +01:00
create_summary_websites.sh	./create_summary_websites.sh: add support for PHP version 8.1	2022-02-04 03:59:32 +01:00
create_vhost.sh	create_vhost.sh: allow multiple ipv6/ipv4 addresses.	2022-03-04 00:11:28 +01:00
delete_domain_related_configurations.sh	handle_domain_on_webserver.sh: first version ready for usage.	2017-08-13 18:37:34 +02:00
get_apache2_info.sh	get_apache2_info.sh: fix shebang error.	2021-02-13 03:28:34 +01:00
get_sites_with_external_nameservers.sh	Adjust script 'get_sites_with_external_nameservers.sh'.	2021-08-12 11:28:26 +02:00
handle_domain_on_webserver.sh	handle_domain_on_webserver.sh: add support for cleaning up dehydrated's domains.txt file.	2018-09-14 14:06:46 +02:00
max_memory_limit_apache.sh	Initial import	2017-02-21 02:20:36 +01:00
README.HTTP-security-headers	Adjust README.HTTP-security-headers.	2018-04-26 03:59:15 +02:00
show_domain_on_webserver.sh	Add script 'handle_domain_on_webserver.sh' with symlinks 'check_domain_on_webserver.sh' and 'show_domain_on_webserver.sh'.	2017-07-05 02:38:59 +02:00

README.HTTP-security-headers

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

   # ==========
   # - HTTP security Headers
   # ==========

   # You can mitigate most of the common Cross Site Scripting attack using HttpOnly 
   # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible 
   # to steal or manipulate web application session and cookies and it’s dangerous.
   #
   #Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"

   # - X-Frame-Options
   # - 
   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
   # - 
   # - X-Frame-Options tells the browser whether you want to 
   # - allow your site to be framed or not. By preventing a 
   # - browser from framing your site you can defend against 
   # - attacks like clickjacking
   # -
   # - The X-Frame-Options header (RFC), or XFO header, protects your visitors 
   # - against clickjacking attacks. An attacker can load up an iframe on their 
   # - site and set your site as the source, it's quite easy: 
   # -
   # -    <iframe src="https://scotthelme.co.uk"></iframe>
   # -
   # - Using some crafty CSS they can hide your site in the background and create some 
   # - genuine looking overlays. When your visitors click on what they think is a harmless 
   # - link, they're actually clicking on links on your website in the background. That 
   # - might not seem so bad until we realise that the browser will execute those requests 
   # - in the context of the user, which could include them being logged in and authenticated 
   # - to your site!
   # -
   # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front :
   # - of you':
   # -
   # -    http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
   # -
   # - Valid values:
   # -
   # -    DENY meaning your site can't be framed
   # -
   # -    SAMEORIGIN which allows you to frame your own site
   # -
   # -    ALLOW-FROM https://example.com/ which lets you specify 
   # -               sites that are permitted to frame your own site.
   # -
   # - Note:
   # - For Apache 2.2 use
   # -    Header always set X-Frame-Options "SAMEORIGIN"
   # -
   #Header always append X-Frame-Options "SAMEORIGIN"

   # -  X-Xss-Protection
   # - 
   # - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
   # - 
   # - X-XSS-Protection sets the configuration for the cross-site
   # - scripting filters built into most browsers. The best 
   # - configuration is "X-XSS-Protection: 1; mode=block".
   # -
   # - This header is used to configure the built in reflective XSS protection found 
   # - in Internet Explorer, Chrome and Safari (Webkit). 
   # -
   # - Valid settings for the header are:
   # -
   # -    0 which disables the protection, 
   # -
   # -    1 which enables the protection 
   # -
   # -    1; mode=block which tells the browser to block the response 
   # -                  if it detects an attack rather than sanitising 
   # -                  the script.
   # -
   #Header always set X-Xss-Protection "1; mode=block"

   # - X-Content-Type-Options
	# - 
	# - See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
	# - 
	# - X-Content-Type-Options stops a browser from trying to MIME-sniff
	# - the content type and forces it to stick with the declared 
	# - content-type.
   # -
   # - Nice and easy to configure, this header only has one valid value, nosniff. 
   # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff 
   # - the content-type of a response away from the one being declared by the server. 
   # - It reduces exposure to drive-by downloads and the risks of user uploaded content 
   # - that, with clever naming, could be treated as a different content-type, like 
   # - an executable.
	# -
	# - The only valid value for this header is 
	# -
	# -    "X-Content-Type-Options: nosniff".
   # -
   #Header always set X-Content-Type-Options "nosniff"

   # - Content Security Policy
	# - 
	# - See: https://scotthelme.co.uk/content-security-policy-an-introduction/
   # -      https://content-security-policy.com/
   # -
	# - Content Security Policy is an effective measure to protect your 
	# - site from XSS attacks by whitelisting sources of approved content.
   # -
   # - The CSP header allows you to define a whitelist of approved sources of content 
   # - for your site. By restricting the assets that a browser can load for your site, 
   # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I 
   # - have covered CSP in a lot more detail in my blog Content Security Policy - An 
   # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). 
   # -
	# - Examples: "default-src 'self';"
	# -           would only allow assets to be loaded from the current origin
	# -           (but not subdomains).
	# -
	# -           "default-src https:"
	# -           would allow any assets to be loaded over https from any origin.
	# -
   # - Allow Google Analytics, Google AJAX CDN and Same Origin
   # -    script-src 'self' www.google-analytics.com ajax.googleapis.com;
   # -
   # - Emmbedding Google Fonts
   # -    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; 
   # -
   # - Allow YouTube Videos (iframe embedded) and Same Origin
   # -    frame-src 'self' https://www.youtube.com (frame-src is deprecated)
   # -    worker-src 'self' www.youtube.com
   # - 
   # - Allow OpenStreetMap
   # -    script-src (self)
   # -    style-src ('unsafe-inline')
   # -    img-src (data:)
   # -    font-src (data:)
   # -    sandbox (allow-scripts allow-same-origin)
   # -
   #Header always set Content-Security-Policy "default-src 'self' http: https: data: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self'; base-uri 'self'; form-action 'self';  object-src 'none'"

   # - A more secure configuration, including Google Analytics, Google AJAX CDN
   # - and Emmbedding Google Fonts
   # -
   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"

   # - Same as above but also allow YouTube Videos
   # -
   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"

   # - Same as above but also allow YouTube Videos
   # -
   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"

   # - Referrer-Policy
	# - 
	# - See: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
	# -      https://www.w3.org/TR/referrer-policy/
   # -
	# - Referrer Policy is a new header that allows a site to control how 
	# - much information the browser includes with navigations away from 
	# - a document and should be set by all sites.
	# -
   # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header 
   # - field that identifies the address of the webpage (i.e. the URI or IRI) that 
   # - linked to the resource being requested. By checking the referrer, the new 
   # - webpage can see where the request originated.
   # -
	# - For a complete list and explanation of values, see urls above
	# -
	# - Example: "no-referrer-when-downgrade"
	# -          The browser will not send the referrer header when navigating 
	# -          from HTTPS to HTTP, but will always send the full URL in the 
	# -          referrer header when navigating from HTTP to any origin. It 
	# -          doesn't matter whether the source and destination are the same 
	# -          site or not, only the scheme.
	# - 
   #Header set  Referrer-Policy "strict-origin-when-cross-origin"

   # - HTTP Strict Transport Security (HSTS)
   # - 
   # - See: https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
   # - 
   # - HTTP Strict Transport Security (HSTS) is an excellent feature
   # - to support on your site and strengthens your implementation of 
   # - TLS by getting the User Agent to enforce the use of HTTPS.
   # -
   # - HSTS tells a browser that the website should only be accessed through
   # - a secure connection. The HSTS header will be remembered by a standard
   # - compliant browser for max-age seconds.
   # -
   # - Remember this settings for 1 year
   # -
   #Header always set Strict-Transport-Security "max-age=15768000"

README.HTTP-security-headers Unescape Escape

README.HTTP-security-headers