From b5dd05ad4676a89362f91d8b12472181da2357c2 Mon Sep 17 00:00:00 2001 From: Jesse Norell Date: Thu, 11 Oct 2018 21:51:53 +0200 Subject: [PATCH] Add Content-Security-Policy header and friends. --- install/tpl/apache_ispconfig.vhost.master | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/install/tpl/apache_ispconfig.vhost.master b/install/tpl/apache_ispconfig.vhost.master index 57c70885d..33ff3bae8 100644 --- a/install/tpl/apache_ispconfig.vhost.master +++ b/install/tpl/apache_ispconfig.vhost.master @@ -88,8 +88,14 @@ NameVirtualHost *: - Header setifempty add Strict-Transport-Security "max-age=15768000" - RequestHeader unset Proxy early + # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval + Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests" + Header set X-Content-Type-Options: nosniff + Header set X-Frame-Options: SAMEORIGIN + Header set X-XSS-Protection: "1; mode=block" + Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" + Header setifempty Strict-Transport-Security "max-age=15768000" + RequestHeader unset Proxy early -- GitLab