tracker icon indicating copy to clipboard operation
tracker copied to clipboard

Published 20 hours ago verified publisher icon turnkeylinux

Apache (probably other webservers too) - consider enabling some security headers: e.g. "X-Frame-Options" & "X-Content-Type-Options"

Open JedMeister opened this issue 9 months ago • 0 comments

I note that the config for the "X-Frame-Options" & "X-Content-Type-Options" headers are already included in /etc/apache2/conf-available/security.conf (lines 74 & [67])https://github.com/turnkeylinux/common/blob/18.x/overlays/apache/etc/apache2/conf-available/security.conf#L67) respectively). However they are commented out by default.

We should consider enabling them (uncomment them) by default. There are probably other headers we should consider including, although they probably should remain commented out.

Re the above mentioned headers, there are a few other tweaks that we probably should make:

  • use SAMEORIGIN rather than sameorigin - whilst lowercase should work, most docs I've come across have it uppercase so best to be consistent with that
  • remove colons - again it should work, but again docs don't note it
  • above the line to enable it, add the line Header onsuccess unset ... - that will explicitly disable it first, before setting it. That will ensure that it isn't set twice. This is quite important as some PHP apps set it themselves (e.g. Nextcloud) and/or it may be set within an .htaccess file.
  • prefix always to ensure that it is always applied.

I.e. they should look like this:

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

and

Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

refs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Following Nextcloud's lead there are probably some other headers we could include (but probably commented out):

More refs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers https://owasp.org/www-project-secure-headers/ https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html https://www.darkrelay.com/post/http-security-headers https://www.sentrium.co.uk/labs/application-security-101-http-headers https://htaccessbook.com/important-security-headers/

JedMeister avatar Apr 29 '24 22:04 JedMeister