You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.
First, we need to enable the headers module: sudo a2enmod headers
Anti-clickjacking - The anti-clcikjacking X-Frames-Options header is not defined. https://www.owasp.org/index.php/Clickjacking
add to /etc/apache2/sites-available/securityonion.conf: Header always append X-Frame-Options SAMEORIGIN
HSTS - Strict-Transport-Security header is not defined.
( I know HTTP is not currently used, but I still figured it may be a good idea to set) https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
add to /etc/apache2/sites-available/securityonion.conf: Header always set Strict-Transport-Security "max-age=31536000; include Subdomains;"
Content-Encoding - header is set to "deflate" -- may mean that the server is vulnerable to the BREACH attack. http://breachattack.com/
add to /etc/apache2/sites-available/securityonion.conf: SetEnv no-gzip dont-vary
From Wes Lambert:
First, we need to enable the headers module:
sudo a2enmod headers
Anti-clickjacking - The anti-clcikjacking X-Frames-Options header is not defined.
https://www.owasp.org/index.php/Clickjacking
add to /etc/apache2/sites-available/securityonion.conf:
Header always append X-Frame-Options SAMEORIGIN
XSS - The X-XSS-Protection-header is not defined.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection
add to /etc/apache2/sites-available/securityonion.conf:
Header set X-XSS-Protection: "1; mode=block"
X-Content-Type - X-Content-Type-Options header is not set.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options
add to /etc/apache2/sites-available/securityonion.conf:
Header set X-Content-Type-Options nosniff
HSTS - Strict-Transport-Security header is not defined.
( I know HTTP is not currently used, but I still figured it may be a good idea to set)
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
add to /etc/apache2/sites-available/securityonion.conf:
Header always set Strict-Transport-Security "max-age=31536000; include Subdomains;"
Content-Encoding - header is set to "deflate" -- may mean that the server is vulnerable to the BREACH attack.
http://breachattack.com/
add to /etc/apache2/sites-available/securityonion.conf:
SetEnv no-gzip dont-vary
httpoxy
https://httpoxy.org/#fix-now
https://www.apache.org/security/asf-httpoxy-response.txt
add to /etc/apache2/sites-available/securityonion.conf:
RequestHeader unset Proxy early
The text was updated successfully, but these errors were encountered: