[gimp-web/oscp] www.gimp.org: adjust security headers and config formatting
- From: Michael Schumacher <schumaml src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gimp-web/oscp] www.gimp.org: adjust security headers and config formatting
- Date: Fri, 27 Mar 2020 18:13:43 +0000 (UTC)
commit 03606ddfc9b3714852b69d2dc29e52062e05ba30
Author: Michael Schumacher <schumaml gmx de>
Date: Fri Mar 27 19:12:04 2020 +0100
www.gimp.org: adjust security headers and config formatting
config now matches that of testing.gimp.org
www.gimp.org/app_data/httpd-cfg/www.gimp.org.conf | 56 ++++++++++++++++++-----
1 file changed, 45 insertions(+), 11 deletions(-)
---
diff --git a/www.gimp.org/app_data/httpd-cfg/www.gimp.org.conf
b/www.gimp.org/app_data/httpd-cfg/www.gimp.org.conf
index 432333ad..d6eeb679 100644
--- a/www.gimp.org/app_data/httpd-cfg/www.gimp.org.conf
+++ b/www.gimp.org/app_data/httpd-cfg/www.gimp.org.conf
@@ -5,19 +5,53 @@
ServerAdmin webmaster gimp org
DocumentRoot /opt/app-root/src/html
+ ##
+ # Headers relevant to security
+ ##
+
+ # Only connect to this site via HTTPS for the next year (recommended)
+ Header always set Strict-Transport-Security "max-age=31536000"
+
+ # Only allow my site to frame itself
+ Header always set X-Frame-Options "SAMEORIGIN"
+
+ # Block pages from loading when they detect reflected XSS attacks
+ Header always set X-XSS-Protection "1; mode=block"
+
+ # Prevent browsers from incorrectly detecting non-scripts as scripts
+ Header always set X-Content-Type-Options "nosniff"
+
# Disable unsafe inline/eval, only load resources from same origin
# except also allow OpenHub. Also disables the execution of plugins.
- Header always set Content-Security-Policy "default-src 'self'; script-src 'self'
https://www.openhub.net; child-src 'self' https://www.openhub.net https://www.youtube.com
https://www.youtube-nocookie.com; object-src 'none'; media-src 'self' https://download.gimp.org
https://www.mirrorservice.org;";
-
- RedirectPermanent /downloads/Linux.html /downloads/
- RedirectPermanent /downloads/Mac.html /downloads/
- RedirectPermanent /downloads/Windows.html /downloads/
- RedirectPermanent /macintosh/ /downloads/
- RedirectPermanent /windows/ /downloads/
- RedirectPermanent /news/2017/02/27/an-interview-with-michael-natterer-gimp-maintainer/
/news/2017/03/01/an-interview-with-michael-natterer-gimp-maintainer/
- RedirectPermanent /news/2018/03/26/gimp-2-10-rc1-released/ /news/2018/03/26/gimp-2-10-0-rc1-released/
- RedirectPermanent /bugs/howtos/bugzilla.html /bugs/report.html
- RedirectPermanent /news.rdf /feeds/atom.xml
+ Header always set \
+ Content-Security-Policy " \
+ default-src 'none'; \
+ img-src 'self'; \
+ style-src 'self'; \
+ script-src 'self' https://www.openhub.net; \
+ font-src 'self'; \
+ child-src 'self' https://www.openhub.net https://www.youtube.com
https://www.youtube-nocookie.co\
+m; \
+ object-src 'none'; \
+ media-src 'self' https://download.gimp.org https://www.mirrorservice.org; \
+ base-uri 'self'; \
+ form-action 'self'; \
+ frame-ancestors 'self'; \
+ "
+ Header always set \
+ Referrer-Policy: "same-origin, strict-origin-when-cross-origin"
+
+ RedirectPermanent /downloads/Linux.html /downloads/
+ RedirectPermanent /downloads/Mac.html /downloads/
+ RedirectPermanent /downloads/Windows.html /downloads/
+ RedirectPermanent /macintosh/ /downloads/
+ RedirectPermanent /windows/ /downloads/
+ RedirectPermanent /news/2017/02/27/an-interview-with-michael-natterer-gimp-maintainer/ \
+ /news/2017/03/01/an-interview-with-michael-natterer-gimp-maintainer/
+ RedirectPermanent /news/2018/03/26/gimp-2-10-rc1-released/ \
+ /news/2018/03/26/gimp-2-10-0-rc1-released/
+ RedirectPermanent /bugs/howtos/bugzilla.html /bugs/report.html
+ RedirectPermanent /news.rdf /feeds/atom.xml
AddType text/html .xhtml
AddType text/xml .rdf
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
