[gimp-web/oscp] docs.gimp.org: add noframe, no-xss and no-sniff security headers

From: Michael Schumacher <schumaml src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp-web/oscp] docs.gimp.org: add noframe, no-xss and no-sniff security headers
Date: Tue, 19 May 2020 17:40:06 +0000 (UTC)

commit 97130f2325da104c10e8b23e6209e5a743f7f9c3
Author: Michael Schumacher <schumaml gmx de>
Date:   Tue May 19 19:39:19 2020 +0200

    docs.gimp.org: add noframe, no-xss and no-sniff security headers

 .../httpd/app_data/httpd-cfg/docs.gimp.org.conf       | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)
---
diff --git a/docs.gimp.org/httpd/app_data/httpd-cfg/docs.gimp.org.conf 
b/docs.gimp.org/httpd/app_data/httpd-cfg/docs.gimp.org.conf
index 23b422ca..cdf08e37 100644
--- a/docs.gimp.org/httpd/app_data/httpd-cfg/docs.gimp.org.conf
+++ b/docs.gimp.org/httpd/app_data/httpd-cfg/docs.gimp.org.conf
@@ -5,7 +5,24 @@
     ServerAdmin webmaster gimp org
     DocumentRoot /docs_data/docs
 
-    Header always unset Content-Security-Policy 
+    Header always unset Content-Security-Policy
+
+    ##
+    # Headers relevant to security
+    ##
+
+    # Only connect to this site via HTTPS for the next year (recommended)
+    Header always set Strict-Transport-Security "max-age=31536000"
+
+    # Only allow my site to frame itself
+    Header always set X-Frame-Options "SAMEORIGIN"
+
+    # Block pages from loading when they detect reflected XSS attacks
+    Header always set X-XSS-Protection "1; mode=block"
+
+    # Prevent browsers from incorrectly detecting non-scripts as scripts
+    Header always set X-Content-Type-Options "nosniff"
+
 </VirtualHost>
 
 <Location />

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]