Apache (probably other webservers too) - consider enabling some security headers: e.g. "X-Frame-Options" & "X-Content-Type-Options" #1938
Description
I note that the config for the "X-Frame-Options" & "X-Content-Type-Options" headers are already included in /etc/apache2/conf-available/security.conf (lines 74 & [67])https://github.com/turnkeylinux/common/blob/18.x/overlays/apache/etc/apache2/conf-available/security.conf#L67) respectively). However they are commented out by default.
We should consider enabling them (uncomment them) by default. There are probably other headers we should consider including, although they probably should remain commented out.
Re the above mentioned headers, there are a few other tweaks that we probably should make:
- use
SAMEORIGINrather thansameorigin- whilst lowercase should work, most docs I've come across have it uppercase so best to be consistent with that - remove colons - again it should work, but again docs don't note it
- above the line to enable it, add the line
Header onsuccess unset ...- that will explicitly disable it first, before setting it. That will ensure that it isn't set twice. This is quite important as some PHP apps set it themselves (e.g. Nextcloud) and/or it may be set within an.htaccessfile. - prefix
alwaysto ensure that it is always applied.
I.e. they should look like this:
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
and
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
refs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Following Nextcloud's lead there are probably some other headers we could include (but probably commented out):
- Referrer-Policy
- X-Robots-Tag
- [X-Permitted-Cross-Domain-Policies (no MDN ref - more general refs below)
- X-XSS-Protection - note warning!
More refs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://owasp.org/www-project-secure-headers/
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
https://www.darkrelay.com/post/http-security-headers
https://www.sentrium.co.uk/labs/application-security-101-http-headers
https://htaccessbook.com/important-security-headers/