-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzzz-headers.conf
58 lines (57 loc) · 3.04 KB
/
zzz-headers.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
## -----------------------------------------------------
## Apache 2.4
## User headers configuration file.
## !!! Do not load in reverse proxy case !!!
##
## @context server config
## @module headers_module
## @author Olivier Jullien <https://github.com/ojullien>
## -----------------------------------------------------
<IfModule headers_module>
#
# Deal with user agents that deliberately violate open standards by misusing DNT (DNT *must* be a specific
# end-user choice)
#
RequestHeader unset DNT env=bad_DNT
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
Header always set X-Content-Type-Options: "nosniff"
#
# X-XSS-Protection:
# Setting this header will stop pages from loading when they detect reflected
# cross-site scripting (XSS) attacks. Although these protections are largely
# unnecessary in modern browsers when sites implement a strong Content-Security-Policy
# that disables the use of inline JavaScript ('unsafe-inline'), they can still provide
# protections for users of older web browsers that don't yet support CSP.
# Requires mod_headers to be enabled.
#
# "0" means XSS filter disabled, "1" means XSS filter enabled and sanitized the page if attack detected,
# "1;mode=block" means XSS filter enabled and prevented rendering the page if attack detected
# "1;report=http://example.com/report_URI" means XSS filter enabled and reported the violation if attack detected
#
Header set X-XSS-Protection "1; mode=block"
#
# Remove this header for many static files
#
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
Header unset X-XSS-Protection
</FilesMatch>
#
# content-security-policy:
# Unset the csp header for many static files
#
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|png|rdf|rss|safariextz|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>
#
# The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be
# included with requests.
# Setting an HTTP referer policy is for security. If these headers are being generated on the server and not
# controlled properly, sensitive meta-information about the incoming request can get passed from an HTTPS endpoint
# to a non-secure, HTTP one, nullifying the benefits of adding HTTPS encryption to your website.
#
Header always set Referrer-Policy "no-referrer-when-downgrade, strict-origin-when-cross-origin"
</IfModule>