* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
- add X-Content-Type-Options nosniff [SME: 12835] - add Strict Transport Security support HSTS [SME: 12815] - add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816] - add referrer-Policy same-origin [SME: 12817] - add OCSP Stapling support [SME: 12819] - add CSP Content-Security-Policy support [SME: 9567] - add .well-known and .well-known/security.txt [SME: 12818]
This commit is contained in:
@@ -0,0 +1,2 @@
|
||||
SSLUseStapling On
|
||||
SSLStaplingCache dbm:/run/httpd/ssl_stapling(32768)
|
||||
@@ -0,0 +1 @@
|
||||
Header setifempty X-Content-Type-Options nosniff
|
||||
@@ -0,0 +1 @@
|
||||
Header setifempty Referrer-Policy "same-origin"
|
||||
@@ -0,0 +1,3 @@
|
||||
# prevent clickjacking attacks
|
||||
Header unset X-Frame-Options
|
||||
Header set X-Frame-Options SAMEORIGIN
|
||||
@@ -0,0 +1,18 @@
|
||||
# Alias for letsencrypt, security.txt and mailconfig ...
|
||||
Alias /.well-known/ /var/www/html/.well-known/
|
||||
# do not proxy request to acme-challenge and security.txt
|
||||
ProxyPass /.well-known/security.txt !
|
||||
ProxyPass /.well-known/acme-challenge !
|
||||
|
||||
<Directory "/var/www/html/.well-known">
|
||||
Options None
|
||||
AllowOverride None
|
||||
Require all granted
|
||||
AddDefaultCharset off
|
||||
Satisfy any
|
||||
</Directory>
|
||||
<Directory /var/www/html/.well-known/acme-challenge/>
|
||||
Header set Content-Type "application/jose+json"
|
||||
Require all granted
|
||||
Satisfy any
|
||||
</Directory>
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
# return if not SSL
|
||||
return " # skipping SSL certificate\n" unless $port eq "$httpsPort";
|
||||
# return unless we have a real certificate (however, here we assume that one will not set manually a self signed one...)
|
||||
# by the way accessing with an ip will fail.
|
||||
#my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'} || "disabled";
|
||||
#return " # HSTS incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt);
|
||||
# return unless enabled for domain
|
||||
return " # HSTS disabled\n"; unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
|
||||
# if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
|
||||
my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
|
||||
# default to 1 years in second to access to preload; suggested 2 years.
|
||||
my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
|
||||
$OUT = 'Header always set Strict-Transport-Security "max-age=$age; includeSubDomains $preload' ;
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
# vim: ft=perl:
|
||||
|
||||
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
|
||||
$plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
|
||||
|
||||
$OUT = '';
|
||||
if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
|
||||
{
|
||||
$OUT .= " RewriteRule ^/.well-known/security.txt\$) https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
{
|
||||
use esmith::DomainsDB;
|
||||
my $db = esmith::DomainsDB->open_ro;
|
||||
my $CSP = $db->get_prop($virtualHost, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost; style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
|
||||
return " # CSP disabled for this host\n" if ($CSP eq "disabled");
|
||||
if ($CSP ne '')
|
||||
{
|
||||
$OUT .= " # Content-Security-Policy; only if not set by content\n";
|
||||
$OUT .= " Header setifempty Content-Security-Policy \"$CSP\"\n";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
# Our security address
|
||||
Contact: {
|
||||
# some examples
|
||||
# Contact: mailto:security@example.com
|
||||
# Contact: mailto:security%2Buri%2Bencoded@example.com
|
||||
# Contact: tel:+1-201-555-0123
|
||||
# Contact: https://example.com/security-contact.html
|
||||
${'httpd-e-smith'}{'SecurityContact'}||"mailto:admin@$DomainName"}
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
# Our openPGP key
|
||||
Encryption: {
|
||||
# some example
|
||||
# Encryption: https://example.com/pgp-key.txt
|
||||
# Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY
|
||||
# Encryption: openpgp4fpr:5f2de5521c63a801ab59ccb603d49de44b29100f
|
||||
${'httpd-e-smith'}{'SecurityEncryption'}||'none'}
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
# Expiration date of this policy
|
||||
Expires: {
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ConfigDB;
|
||||
use DateTime;
|
||||
my $db = esmith::ConfigDB->open or die "Could not open config db";
|
||||
# Obtain the TimeZone configuration database value
|
||||
my $timezone = $db->get("TimeZone")->value||"US/eastern";
|
||||
my $dt = DateTime->now(time_zone => $timezone);
|
||||
$dt->set_year($dt->year()+1);
|
||||
$dt->set_time_zone('UTC');
|
||||
$OUT = $dt."z" ;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
# Prefered Languages
|
||||
Preferred-Languages: { substr( ($sysconfig{Language}||"en"),0,2) }
|
||||
{
|
||||
# see https://securitytxt.org/ for more fields
|
||||
# Acknowledgments : https://
|
||||
# Policy : https://
|
||||
# Hiring : https://
|
||||
}
|
||||
Reference in New Issue
Block a user