From 014c5b11f5811b3a1321f19b5b0d99edb79a2766 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 1 Mar 2019 09:46:01 +0530 Subject: [PATCH] chg: [doc] Some formatting for the apache conf files and some incentives to be more secure by default --- INSTALL/apache.24.misp.ssl | 15 +++++++++++++-- INSTALL/apache.misp.centos7 | 14 ++++++++++++-- INSTALL/apache.misp.centos7.ssl | 18 ++++++++++++++++-- INSTALL/apache.misp.ubuntu | 14 ++++++++++++-- 4 files changed, 53 insertions(+), 8 deletions(-) diff --git a/INSTALL/apache.24.misp.ssl b/INSTALL/apache.24.misp.ssl index f1107391c..e7b95cda6 100644 --- a/INSTALL/apache.24.misp.ssl +++ b/INSTALL/apache.24.misp.ssl @@ -16,7 +16,18 @@ LogLevel warn ErrorLog /var/log/apache2/misp.local_error.log CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off - Header set X-Content-Type-Options nosniff - Header set X-Frame-Options DENY + + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" + Header always set X-Content-Type-Options nosniff + Header always set X-Frame-Options DENY + Header always unset "X-Powered-By" + + # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy + ## Example: + # Header always set X-XSS-Protection "1; mode=block" + # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src + # Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'" diff --git a/INSTALL/apache.misp.centos7 b/INSTALL/apache.misp.centos7 index 38b31e7a3..7f119430f 100644 --- a/INSTALL/apache.misp.centos7 +++ b/INSTALL/apache.misp.centos7 @@ -20,7 +20,17 @@ LogLevel warn ErrorLog /var/log/httpd/misp.local_error.log CustomLog /var/log/httpd/misp.local_access.log combined + ServerSignature Off - Header set X-Content-Type-Options nosniff - Header set X-Frame-Options DENY + + Header always set X-Content-Type-Options nosniff + Header always set X-Frame-Options DENY + Header always unset "X-Powered-By" + + # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy + ## Example: + # Header always set X-XSS-Protection "1; mode=block" + # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src + # Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'" diff --git a/INSTALL/apache.misp.centos7.ssl b/INSTALL/apache.misp.centos7.ssl index 7192d51a9..c188c6321 100644 --- a/INSTALL/apache.misp.centos7.ssl +++ b/INSTALL/apache.misp.centos7.ssl @@ -7,6 +7,9 @@ LogLevel warn ErrorLog /var/log/httpd/misp.local_error.log CustomLog /var/log/httpd/misp.local_access.log combined + + Header always unset "X-Powered-By" + ServerSignature Off @@ -37,7 +40,18 @@ LogLevel warn ErrorLog /var/log/httpd/misp.local_error.log CustomLog /var/log/httpd/misp.local_access.log combined + ServerSignature Off - Header set X-Content-Type-Options nosniff - Header set X-Frame-Options DENY + + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" + Header always set X-Content-Type-Options nosniff + Header always set X-Frame-Options DENY + Header always unset "X-Powered-By" + + # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy + ## Example: + # Header always set X-XSS-Protection "1; mode=block" + # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src + # Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'" diff --git a/INSTALL/apache.misp.ubuntu b/INSTALL/apache.misp.ubuntu index d0d42b2ad..d46cc8d2c 100644 --- a/INSTALL/apache.misp.ubuntu +++ b/INSTALL/apache.misp.ubuntu @@ -12,7 +12,17 @@ LogLevel warn ErrorLog /var/log/apache2/misp.local_error.log CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off - Header set X-Content-Type-Options nosniff - Header set X-Frame-Options DENY + + Header always set X-Content-Type-Options nosniff + Header always set X-Frame-Options DENY + Header always unset "X-Powered-By" + + # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy + ## Example: + # Header always set X-XSS-Protection "1; mode=block" + # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src + # Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"