Merge branch 'patch-3' into 'stable-3.1'

Add Content-Security-Policy header and friends. See merge request ispconfig/ispconfig3!824

Merge branch 'patch-3' into 'stable-3.1'
Add Content-Security-Policy header and friends. See merge request ispconfig/ispconfig3!824
74a297a2 · Till Brehm · 06cf8f6e · b5dd05ad · 74a297a2
Commit 74a297a2 authored Oct 12, 2018 by Till Brehm
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

install/tpl/apache_ispconfig.vhost.master install/tpl/apache_ispconfig.vhost.master +8 -2

No files found.
--- a/install/tpl/apache_ispconfig.vhost.master
+++ b/install/tpl/apache_ispconfig.vhost.master
@@ -88,8 +88,14 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
  </tmpl_if>

  <IfModule mod_headers.c>
-    Header setifempty add Strict-Transport-Security "max-age=15768000"
-	RequestHeader unset Proxy early
+    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    Header set X-Content-Type-Options: nosniff
+    Header set X-Frame-Options: SAMEORIGIN
+    Header set X-XSS-Protection: "1; mode=block"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
+    Header setifempty Strict-Transport-Security "max-age=15768000"
+    RequestHeader unset Proxy early
  </IfModule>

  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>