Puppet module to enable, configure and manage secure http headers on web servers.
This module provides an easy way to enable, configure and manage secure http headers on:
- apache2 (debian like distros);
- httpd (redhat like distros);
- nginx;
- lighttpd.
Standard options available are:
$x_frame_options = 'SAMEORIGIN'
$x_content_type_options = 'nosniff'
$x_xss_protection = '1; mode=block'
$x_robots_tag = ''
$public_key_pins = ''
$strict_transport_security = ''
$content_security_policy = ''
$content_security_policy_report_only = ''
$x_content_security_policy = ''
$x_webkit_csp = ''
For more information about secure HTTP headers see:
- OWASP: Secure Headers Project;
- This article in brazilian portuguese (pt_BR).
$ puppet module install amenezes-http_hardening
- Basic usage for apache2 (Debian like distros) and httpd (RedHat like distros). This will enable mod_headers and set standard secure http headers.
class { 'http_hardening':
apache2 => true,
}
class { 'http_hardening':
httpd => true,
}
note: RedHat (like distros) users eventually must allow mod_headers on selinux.
- Basic usage on nginx.
class { 'http_hardening':
nginx => true,
}
class { 'http_hardening':
lighttpd => true,
}
- Custom configuration on apache2 (Debian like distros) or httpd (RedHat like distros).
class { 'http_hardening':
apache2 => true,
x_frame_options => 'SAMEORIGIN',
x_xss_protection => '1; mode=block',
}
class { 'http_hardening':
httpd => true,
x_frame_options => 'SAMEORIGIN',
x_xss_protection => '1; mode=block',
}
- Custom configuration on nginx.
class { 'http_hardening':
nginx => true,
x_frame_options => 'SAMEORIGIN',
x_xss_protection => '1; mode=block',
}
- Custom configuration on lighttpd.
class { 'http_hardening':
lighttpd => true,
x_frame_options => 'SAMEORIGIN',
x_xss_protection => '1; mode=block',
}
- Custom HTTP Headers configuration on apache2 or httpd.
http_hardening::custom_apache { 'custom_config_1':
custom_param => 'FilesMatch',
custom_filter => '\.(png|ico|jpeg|jpg|gif)$',
custom_headers => {
'X-XSS-Protection' => '0',
}
}
http_hardening::custom_apache { 'custom_config_2':
custom_filter => '\.(js|css)$',
custom_headers => {
'P3P' => 'CP=\"CAO PSA OUR\"'
}
}
For more information see: man mod_headers
- Custom HTTP Headers configuration on lighttpd.
http_hardening::custom_lighttpd { 'custom_config_1':
custom_headers => {
'X-XSS-Protection' => '0',
}
}
http_hardening::custom_lighttpd { 'custom_config_2':
custom_filter => '\.(js|css)$',
custom_headers => {
'P3P' => 'CP=\"CAO PSA OUR\"'
}
}
author: alexandre menezes
twitter: @ale_menezes