From d84d94c7e1e3e647a6ff3b0d29a780481a0638d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Mon, 13 Apr 2020 22:01:17 +0200 Subject: [PATCH] Make sure security headers are always set Closes #186 --- h5bp/internet_explorer/x-ua-compatible.conf | 2 +- h5bp/security/content-security-policy.conf | 2 +- h5bp/security/referrer-policy.conf | 2 +- h5bp/security/x-content-type-options.conf | 2 +- h5bp/security/x-frame-options.conf | 2 +- h5bp/security/x-xss-protection.conf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/h5bp/internet_explorer/x-ua-compatible.conf b/h5bp/internet_explorer/x-ua-compatible.conf index 31a5a485..d1139b1b 100644 --- a/h5bp/internet_explorer/x-ua-compatible.conf +++ b/h5bp/internet_explorer/x-ua-compatible.conf @@ -17,5 +17,5 @@ # https://msdn.microsoft.com/en-us/library/ff955275.aspx - Header set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i" + Header always set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i" diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index ac36a1d3..99e1085f 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -75,5 +75,5 @@ # (1) (2) (3) (4) (5) (6) - Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" + Header always set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" diff --git a/h5bp/security/referrer-policy.conf b/h5bp/security/referrer-policy.conf index 08bf70f4..d15df66a 100644 --- a/h5bp/security/referrer-policy.conf +++ b/h5bp/security/referrer-policy.conf @@ -22,5 +22,5 @@ # (1) - Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i" + Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i" diff --git a/h5bp/security/x-content-type-options.conf b/h5bp/security/x-content-type-options.conf index 7a55a0bc..d8259de1 100644 --- a/h5bp/security/x-content-type-options.conf +++ b/h5bp/security/x-content-type-options.conf @@ -14,5 +14,5 @@ # https://mimesniff.spec.whatwg.org/ - Header set X-Content-Type-Options "nosniff" + Header always set X-Content-Type-Options "nosniff" diff --git a/h5bp/security/x-frame-options.conf b/h5bp/security/x-frame-options.conf index 56ad2cf5..16fb72de 100644 --- a/h5bp/security/x-frame-options.conf +++ b/h5bp/security/x-frame-options.conf @@ -33,5 +33,5 @@ # https://www.owasp.org/index.php/Clickjacking - Header set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i" + Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i" diff --git a/h5bp/security/x-xss-protection.conf b/h5bp/security/x-xss-protection.conf index ccb75750..29250be2 100644 --- a/h5bp/security/x-xss-protection.conf +++ b/h5bp/security/x-xss-protection.conf @@ -37,5 +37,5 @@ # (1) (2) - Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i" + Header always set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"