Added some HTTPS headers in order to improve privacy and security.

2019-04-04 13:54:23 +02:00 · 2019-04-04 13:54:23 +02:00 · 9c5213c14d
parent 7f9c157758
commit 9c5213c14d
4 changed files with 29 additions and 0 deletions
--- a/INSTALL/INSTALL.rhel7.md
+++ b/INSTALL/INSTALL.rhel7.md
@ -121,4 +121,11 @@ Set file ownership for monarc installation
        Require all granted
    </Directory>

+    <IfModule mod_headers.c>
+       Header always set X-Content-Type-Options nosniff
+       Header always set X-XSS-Protection "1; mode=block"
+       Header always set X-Robots-Tag none
+       Header always set X-Frame-Options SAMEORIGIN
+    </IfModule>
+
    SetEnv APPLICATION_ENV "development"
--- a/INSTALL/INSTALL.ubuntu1604.md
+++ b/INSTALL/INSTALL.ubuntu1604.md
@ -42,6 +42,13 @@ Especially by setting a strong root password.
            Require all granted
        </Directory>

+        <IfModule mod_headers.c>
+           Header always set X-Content-Type-Options nosniff
+           Header always set X-XSS-Protection "1; mode=block"
+           Header always set X-Robots-Tag none
+           Header always set X-Frame-Options SAMEORIGIN
+        </IfModule>
+
        SetEnv APPLICATION_ENV "development"
    </VirtualHost>

--- a/INSTALL/INSTALL.ubuntu1804.md
+++ b/INSTALL/INSTALL.ubuntu1804.md
@ -42,6 +42,13 @@ Especially by setting a strong root password.
            Require all granted
        </Directory>

+        <IfModule mod_headers.c>
+           Header always set X-Content-Type-Options nosniff
+           Header always set X-XSS-Protection "1; mode=block"
+           Header always set X-Robots-Tag none
+           Header always set X-Frame-Options SAMEORIGIN
+        </IfModule>
+
        SetEnv APPLICATION_ENV "development"
    </VirtualHost>

--- a/vagrant/bootstrap.sh
+++ b/vagrant/bootstrap.sh
@ -82,6 +82,7 @@ done
 echo -e "\n--- Enabling mod-rewrite and ssl… ---\n"
 a2enmod rewrite > /dev/null 2>&1
 a2enmod ssl > /dev/null 2>&1
+a2enmod headers > /dev/null 2>&1

 echo -e "\n--- Allowing Apache override to all ---\n"
 sudo sed -i "s/AllowOverride None/AllowOverride All/g" /etc/apache2/apache2.conf
@ -162,6 +163,13 @@ cat > /etc/apache2/sites-enabled/000-default.conf <<EOF
        Require all granted
    </Directory>

+    <IfModule mod_headers.c>
+       Header always set X-Content-Type-Options nosniff
+       Header always set X-XSS-Protection "1; mode=block"
+       Header always set X-Robots-Tag none
+       Header always set X-Frame-Options SAMEORIGIN
+    </IfModule>
+
    SetEnv APPLICATION_ENV $ENVIRONMENT
    SetEnv APP_DIR $PATH_TO_MONARC
 </VirtualHost>