Merge branch 'security_headers' into 'stable-3.1'

vary CSP header for HTTP and HTTPS, and secure cookies See merge request ispconfig/ispconfig3!1042

Merge branch 'security_headers' into 'stable-3.1'
c3aaf167 · Till Brehm · ee926b7d · baff94e0 · c3aaf167
Commit c3aaf167 authored 4 years ago by Till Brehm
--- a/install/tpl/apache_ispconfig.vhost.master
+++ b/install/tpl/apache_ispconfig.vhost.master
@@ -89,11 +89,13 @@ NameVirtualHost *:<tmpl_var name="vhost_port">

  <IfModule mod_headers.c>
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    Header set X-Content-Type-Options: nosniff
    Header set X-Frame-Options: SAMEORIGIN
    Header set X-XSS-Protection: "1; mode=block"
-    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
    <IfVersion >= 2.4.7>
        Header setifempty Strict-Transport-Security "max-age=15768000"
    </IfVersion>