From f6e5a123e2cbf47319501da0f309386b8fb53614 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Mon, 14 Jun 2021 12:38:26 +0200 Subject: [PATCH] Improve security headers documentation Refresh and reorder links --- h5bp/security/content-security-policy.conf | 7 ++++--- h5bp/security/referrer-policy.conf | 4 +++- h5bp/security/strict-transport-security.conf | 2 +- h5bp/security/x-content-type-options.conf | 1 + h5bp/security/x-frame-options.conf | 6 +++--- 5 files changed, 12 insertions(+), 8 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index f77fb4c..20c2bd8 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -19,9 +19,10 @@ # such as: # https://csp-evaluator.withgoogle.com # -# https://csp.withgoogle.com/docs/ -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -# https://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.w3.org/TR/CSP/ +# https://owasp.org/www-project-secure-headers/#content-security-policy +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +# https://developers.google.com/web/fundamentals/security/csp +# https://content-security-policy.com/ add_header Content-Security-Policy $content_security_policy always; diff --git a/h5bp/security/referrer-policy.conf b/h5bp/security/referrer-policy.conf index d978a36..2c92a69 100644 --- a/h5bp/security/referrer-policy.conf +++ b/h5bp/security/referrer-policy.conf @@ -17,7 +17,9 @@ # https://securityheaders.com/ # https://observatory.mozilla.org/ # -# https://scotthelme.co.uk/a-new-security-header-referrer-policy/ +# https://www.w3.org/TR/referrer-policy/ +# https://owasp.org/www-project-secure-headers/#referrer-policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy +# https://scotthelme.co.uk/a-new-security-header-referrer-policy/ add_header Referrer-Policy $referrer_policy always; diff --git a/h5bp/security/strict-transport-security.conf b/h5bp/security/strict-transport-security.conf index 9f917a4..9f66063 100644 --- a/h5bp/security/strict-transport-security.conf +++ b/h5bp/security/strict-transport-security.conf @@ -28,9 +28,9 @@ # https://hstspreload.org/#deployment-recommendations # # https://tools.ietf.org/html/rfc6797#section-6.1 +# https://owasp.org/www-project-secure-headers/#http-strict-transport-security # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/ -# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/ # https://hstspreload.org/ add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always; diff --git a/h5bp/security/x-content-type-options.conf b/h5bp/security/x-content-type-options.conf index ec18803..ee0b464 100644 --- a/h5bp/security/x-content-type-options.conf +++ b/h5bp/security/x-content-type-options.conf @@ -9,6 +9,7 @@ # user-uploaded content or content that could potentially be treated as # executable by the browser. # +# https://owasp.org/www-project-secure-headers/#x-content-type-options # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ # https://mimesniff.spec.whatwg.org/ diff --git a/h5bp/security/x-frame-options.conf b/h5bp/security/x-frame-options.conf index c608670..22e7049 100644 --- a/h5bp/security/x-frame-options.conf +++ b/h5bp/security/x-frame-options.conf @@ -29,9 +29,9 @@ # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive # which obsoletes this header for supporting browsers. # -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options # https://tools.ietf.org/html/rfc7034 -# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/ -# https://www.owasp.org/index.php/Clickjacking +# https://owasp.org/www-project-secure-headers/#x-frame-options +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options add_header X-Frame-Options $x_frame_options always;