securityonion-web-page: additional protections in securityonion.conf

[dougburks]

From Wes Lambert:

First, we need to enable the headers module:
sudo a2enmod headers

Anti-clickjacking - The anti-clcikjacking X-Frames-Options header is not defined.
https://www.owasp.org/index.php/Clickjacking
add to /etc/apache2/sites-available/securityonion.conf:
Header always append X-Frame-Options SAMEORIGIN

XSS - The X-XSS-Protection-header is not defined.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection
add to /etc/apache2/sites-available/securityonion.conf:
Header set X-XSS-Protection: "1; mode=block"

X-Content-Type - X-Content-Type-Options header is not set.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options
add to /etc/apache2/sites-available/securityonion.conf:
Header set X-Content-Type-Options nosniff

HSTS - Strict-Transport-Security header is not defined.
( I know HTTP is not currently used, but I still figured it may be a good idea to set)
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
add to /etc/apache2/sites-available/securityonion.conf:
Header always set Strict-Transport-Security "max-age=31536000; include Subdomains;"

Content-Encoding - header is set to "deflate" -- may mean that the server is vulnerable to the BREACH attack.
http://breachattack.com/
add to /etc/apache2/sites-available/securityonion.conf:
SetEnv no-gzip dont-vary

httpoxy
https://httpoxy.org/#fix-now
https://www.apache.org/security/asf-httpoxy-response.txt
add to /etc/apache2/sites-available/securityonion.conf:
RequestHeader unset Proxy early

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/zMJrSKUApEE/discussion

[dougburks]

published:
http://blog.securityonion.net/2016/08/new-elsa-packages-resolve-several-issues.html