chg: [doc] Some formatting for the apache conf files and some incentives to be more secure by default

2019-03-01 09:46:01 +05:30 · 2019-03-01 09:46:01 +05:30 · 014c5b11f5
parent 6b3b705447
commit 014c5b11f5
4 changed files with 53 additions and 8 deletions
--- a/INSTALL/apache.24.misp.ssl
+++ b/INSTALL/apache.24.misp.ssl
@ -16,7 +16,18 @@
    LogLevel warn
    ErrorLog /var/log/apache2/misp.local_error.log
    CustomLog /var/log/apache2/misp.local_access.log combined
+
    ServerSignature Off
-    Header set X-Content-Type-Options nosniff
-    Header set X-Frame-Options DENY
+
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options DENY
+    Header always unset "X-Powered-By"
+
+    # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
+    ## Example:
+    # Header always set X-XSS-Protection "1; mode=block"
+    # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
+    # Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
 </VirtualHost>
--- a/INSTALL/apache.misp.centos7
+++ b/INSTALL/apache.misp.centos7
@ -20,7 +20,17 @@
    LogLevel warn
    ErrorLog /var/log/httpd/misp.local_error.log
    CustomLog /var/log/httpd/misp.local_access.log combined
+
    ServerSignature Off
-    Header set X-Content-Type-Options nosniff
-    Header set X-Frame-Options DENY
+
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options DENY
+    Header always unset "X-Powered-By"
+
+    # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
+    ## Example:
+    # Header always set X-XSS-Protection "1; mode=block"
+    # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
+    # Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
 </VirtualHost>
--- a/INSTALL/apache.misp.centos7.ssl
+++ b/INSTALL/apache.misp.centos7.ssl
@ -7,6 +7,9 @@
    LogLevel warn
    ErrorLog /var/log/httpd/misp.local_error.log
    CustomLog /var/log/httpd/misp.local_access.log combined
+
+    Header always unset "X-Powered-By"
+
    ServerSignature Off
 </VirtualHost>

@ -37,7 +40,18 @@
    LogLevel warn
    ErrorLog /var/log/httpd/misp.local_error.log
    CustomLog /var/log/httpd/misp.local_access.log combined
+
    ServerSignature Off
-    Header set X-Content-Type-Options nosniff
-    Header set X-Frame-Options DENY
+
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options DENY
+    Header always unset "X-Powered-By"
+
+    # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
+    ## Example:
+    # Header always set X-XSS-Protection "1; mode=block"
+    # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
+    # Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
 </VirtualHost>
--- a/INSTALL/apache.misp.ubuntu
+++ b/INSTALL/apache.misp.ubuntu
@ -12,7 +12,17 @@
    LogLevel warn
    ErrorLog /var/log/apache2/misp.local_error.log
    CustomLog /var/log/apache2/misp.local_access.log combined
+
    ServerSignature Off
-    Header set X-Content-Type-Options nosniff
-    Header set X-Frame-Options DENY
+
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options DENY
+    Header always unset "X-Powered-By"
+
+    # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
+    ## Example:
+    # Header always set X-XSS-Protection "1; mode=block"
+    # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
+    # Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
 </VirtualHost>