From a3cf3aab003ffff4ce3c45e001d093533b05a0c6 Mon Sep 17 00:00:00 2001 From: Chris McKee Date: Tue, 28 Oct 2014 21:28:03 +0000 Subject: [PATCH] Extra security headers without a home --- h5bp/directive-only/extra-security.conf | 34 +++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 h5bp/directive-only/extra-security.conf diff --git a/h5bp/directive-only/extra-security.conf b/h5bp/directive-only/extra-security.conf new file mode 100644 index 0000000..2d1a7d0 --- /dev/null +++ b/h5bp/directive-only/extra-security.conf @@ -0,0 +1,34 @@ +# config to don't allow the browser to render the page inside an frame or iframe +# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking +# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri +# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options +add_header X-Frame-Options SAMEORIGIN; + +# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, +# to disable content-type sniffing on some browsers. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx +# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx +# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 +add_header X-Content-Type-Options nosniff; + +# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. +# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for +# this particular website if it was disabled by the user. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +add_header X-XSS-Protection "1; mode=block"; + +# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), +# you can tell the browser that it can only download content from the domains you explicitly allow +# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ +# https://www.owasp.org/index.php/Content_Security_Policy +# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' +# directives for css and js(if you have inline css or js, you will need to keep it too). +# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful +add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; + +# Instead of relying on master policy files for meta-policies, clients may also decide to check for a X-Permitted-Cross-Domain-Policies header +# is in documents to specify a meta-policy. In addition to the values acceptable in permitted-cross-domain-policies this header may also +# use a value of none-this-response to indicate that the current document should not be used as a policy file despite other headers or its content. +# mode: http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html +add_header X-Permitted-Cross-Domain-Policies master-only;