From f69093e842935a7b57d63e2b9eec419141639007 Mon Sep 17 00:00:00 2001 From: Michael McGinnis Date: Thu, 12 Oct 2017 22:06:17 -0500 Subject: [PATCH 1/5] Update README.md Added X-Xss-Protection info --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index e009dec..9fd2bba 100644 --- a/README.md +++ b/README.md @@ -329,6 +329,12 @@ This prevents the website to be framed (i.e. put into an `iframe` tag), when sti SetEnvIf Request_URI "/starry-night" allow_framing=true Header set X-Frame-Options SAMEORIGIN env=!allow_framing ``` +### Helps Prevent Cross-Site Scripting (XSS) +This uses the built-in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit) to block the response if it detects an attack. +``` apacheconf +Header always set X-Xss-Protection "1; mode=block" +``` +[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection) ## Performance ### Compress Text Files From f36170a44a562f2eb40d74e2e62b6ed796fb6932 Mon Sep 17 00:00:00 2001 From: Michael McGinnis Date: Thu, 12 Oct 2017 22:20:18 -0500 Subject: [PATCH 2/5] Update README.md Updated text, added to Table of Contents --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9fd2bba..733b9f3 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ What we are doing here is mostly collecting useful snippets from all over the in - [Password Protect a File or Several Files](#password-protect-a-file-or-several-files) - [Block Visitors by Referrer](#block-visitors-by-referrer) - [Prevent Framing the Site](#prevent-framing-the-site) + - [Help to Prevent Cross-Site Scripting](#help-to-prevent-cross-site-scripting) - [Performance](#performance) - [Compress Text Files](#compress-text-files) - [Set Expires Headers](#set-expires-headers) @@ -329,12 +330,13 @@ This prevents the website to be framed (i.e. put into an `iframe` tag), when sti SetEnvIf Request_URI "/starry-night" allow_framing=true Header set X-Frame-Options SAMEORIGIN env=!allow_framing ``` -### Helps Prevent Cross-Site Scripting (XSS) + +### Help to Prevent Cross-Site Scripting This uses the built-in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit) to block the response if it detects an attack. +[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection) ``` apacheconf Header always set X-Xss-Protection "1; mode=block" ``` -[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection) ## Performance ### Compress Text Files From faefa08b064471280c276c6ce7df0ed3cc0a70eb Mon Sep 17 00:00:00 2001 From: Michael McGinnis Date: Thu, 12 Oct 2017 22:52:09 -0500 Subject: [PATCH 3/5] Update README.md Added X-Content-Type-Options --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 733b9f3..76c135f 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ What we are doing here is mostly collecting useful snippets from all over the in - [Block Visitors by Referrer](#block-visitors-by-referrer) - [Prevent Framing the Site](#prevent-framing-the-site) - [Help to Prevent Cross-Site Scripting](#help-to-prevent-cross-site-scripting) + - [Prevents Mime-Sniffing the Incorrect Content-Type(#prevents-mime-sniffing-the-incorrect-content-type) - [Performance](#performance) - [Compress Text Files](#compress-text-files) - [Set Expires Headers](#set-expires-headers) @@ -338,6 +339,13 @@ This uses the built-in reflective XSS protection found in Internet Explorer, Chr Header always set X-Xss-Protection "1; mode=block" ``` +### Prevents Mime-Sniffing the Incorrect Content-Type +This reduces the risk of a file, such as an cleverly-misnamed executable, being treated as a different content-type by the browser than the one being declared by the server. It also reduces exposure to drive-by downloads. +[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection) +``` apacheconf +Header always set X-Content-Type-Options "nosniff" +``` + ## Performance ### Compress Text Files ``` apacheconf From 849a9bbae91821be13c46fd8f14f374d85645dbd Mon Sep 17 00:00:00 2001 From: Michael McGinnis Date: Thu, 12 Oct 2017 22:53:30 -0500 Subject: [PATCH 4/5] Update README.md added square bracket --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 76c135f..963c21e 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ What we are doing here is mostly collecting useful snippets from all over the in - [Block Visitors by Referrer](#block-visitors-by-referrer) - [Prevent Framing the Site](#prevent-framing-the-site) - [Help to Prevent Cross-Site Scripting](#help-to-prevent-cross-site-scripting) - - [Prevents Mime-Sniffing the Incorrect Content-Type(#prevents-mime-sniffing-the-incorrect-content-type) + - [Prevents Mime-Sniffing the Incorrect Content-Type](#prevents-mime-sniffing-the-incorrect-content-type) - [Performance](#performance) - [Compress Text Files](#compress-text-files) - [Set Expires Headers](#set-expires-headers) From 6a71561f56e7f431823d2b245baaeb3ff1995dd2 Mon Sep 17 00:00:00 2001 From: Michael McGinnis Date: Thu, 12 Oct 2017 22:55:06 -0500 Subject: [PATCH 5/5] Update README.md Corrected source --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 963c21e..63479ea 100644 --- a/README.md +++ b/README.md @@ -341,7 +341,7 @@ Header always set X-Xss-Protection "1; mode=block" ### Prevents Mime-Sniffing the Incorrect Content-Type This reduces the risk of a file, such as an cleverly-misnamed executable, being treated as a different content-type by the browser than the one being declared by the server. It also reduces exposure to drive-by downloads. -[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection) +[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options) ``` apacheconf Header always set X-Content-Type-Options "nosniff" ```