Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
leftovers libelektra.org migration #1526
Unfortunately, I'm not using Apache webserver. Though, from reading Apache sources, it should be adding something like this to your
If the previous three headers work fine (verify with the scanner I listed in #1505) you can add a CSR policy, to prevent cross-site-attacks. AFAIK the website is not using any external CDN content, then this should be a good working policy.
To test it first, use
If that works fine, replace that line with
In short, this header ensures that browsers are only allowed to load content form the website's default URL itself.
Additionally, you can add a HSTS header if you like. Adding this means that you have to redirect all HTTP requests to HTTPS by default! If you don't want this, just skip this section. It only tells the visitor's browser that your site will only allow HTTPS connections for the coming 31536000 seconds from the first time visiting your page.
In conclusion, if you add the first four headers + HSTS the website should be fine. Later you can always be more restrictive with your CSR policy, but for now this should be fine
I hope this helps a bit.