* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme

- add X-Content-Type-Options nosniff [SME: 12835]
- add Strict Transport Security support HSTS [SME: 12815]
- add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816]
- add referrer-Policy same-origin [SME: 12817]
- add OCSP Stapling support [SME: 12819]
- add CSP Content-Security-Policy support [SME: 9567]
- add .well-known and .well-known/security.txt [SME: 12818]
This commit is contained in:
2024-12-28 23:07:10 -05:00
parent 1183147ca0
commit 460bba0655
20 changed files with 129 additions and 323 deletions

View File

@@ -0,0 +1,2 @@
SSLUseStapling On
SSLStaplingCache dbm:/run/httpd/ssl_stapling(32768)

View File

@@ -0,0 +1 @@
Header setifempty X-Content-Type-Options nosniff

View File

@@ -0,0 +1 @@
Header setifempty Referrer-Policy "same-origin"

View File

@@ -0,0 +1,3 @@
# prevent clickjacking attacks
Header unset X-Frame-Options
Header set X-Frame-Options SAMEORIGIN

View File

@@ -0,0 +1,18 @@
# Alias for letsencrypt, security.txt and mailconfig ...
Alias /.well-known/ /var/www/html/.well-known/
# do not proxy request to acme-challenge and security.txt
ProxyPass /.well-known/security.txt !
ProxyPass /.well-known/acme-challenge !
<Directory "/var/www/html/.well-known">
Options None
AllowOverride None
Require all granted
AddDefaultCharset off
Satisfy any
</Directory>
<Directory /var/www/html/.well-known/acme-challenge/>
Header set Content-Type "application/jose+json"
Require all granted
Satisfy any
</Directory>

View File

@@ -0,0 +1,15 @@
{
# return if not SSL
return " # skipping SSL certificate\n" unless $port eq "$httpsPort";
# return unless we have a real certificate (however, here we assume that one will not set manually a self signed one...)
# by the way accessing with an ip will fail.
#my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'} || "disabled";
#return " # HSTS incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt);
# return unless enabled for domain
return " # HSTS disabled\n"; unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
# if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
# default to 1 years in second to access to preload; suggested 2 years.
my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
$OUT = 'Header always set Strict-Transport-Security "max-age=$age; includeSubDomains $preload' ;
}

View File

@@ -0,0 +1,12 @@
{
# vim: ft=perl:
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
$plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
$OUT = '';
if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
{
$OUT .= " RewriteRule ^/.well-known/security.txt\$) https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
}
}

View File

@@ -0,0 +1,11 @@
{
use esmith::DomainsDB;
my $db = esmith::DomainsDB->open_ro;
my $CSP = $db->get_prop($virtualHost, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost; style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
return " # CSP disabled for this host\n" if ($CSP eq "disabled");
if ($CSP ne '')
{
$OUT .= " # Content-Security-Policy; only if not set by content\n";
$OUT .= " Header setifempty Content-Security-Policy \"$CSP\"\n";
}
}