Apache (probably other webservers too) - consider enabling some security headers: e.g. "X-Frame-Options" & "X-Content-Type-Options" #1938
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I note that the config for the "X-Frame-Options" & "X-Content-Type-Options" headers are already included in
/etc/apache2/conf-available/security.conf(lines 74 & [67])https://github.com/turnkeylinux/common/blob/18.x/overlays/apache/etc/apache2/conf-available/security.conf#L67) respectively). However they are commented out by default.We should consider enabling them (uncomment them) by default. There are probably other headers we should consider including, although they probably should remain commented out.
Re the above mentioned headers, there are a few other tweaks that we probably should make:
SAMEORIGINrather thansameorigin- whilst lowercase should work, most docs I've come across have it uppercase so best to be consistent with thatHeader onsuccess unset ...- that will explicitly disable it first, before setting it. That will ensure that it isn't set twice. This is quite important as some PHP apps set it themselves (e.g. Nextcloud) and/or it may be set within an.htaccessfile.alwaysto ensure that it is always applied.I.e. they should look like this:
and
refs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Following Nextcloud's lead there are probably some other headers we could include (but probably commented out):
More refs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://owasp.org/www-project-secure-headers/
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
https://www.darkrelay.com/post/http-security-headers
https://www.sentrium.co.uk/labs/application-security-101-http-headers
https://htaccessbook.com/important-security-headers/
The text was updated successfully, but these errors were encountered: