adding http security headers

2026-05-15 10:08:08 +02:00
parent 091d00b5c2
commit eb3ffed163
2 changed files with 9 additions and 2 deletions
@@ -6,6 +6,13 @@ TraceEnable Off
    ServerName auth.jakach.ch
    DocumentRoot /var/www/html

+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options "DENY"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), publickey-credentials-get=(self)"
+    Header always set Content-Security-Policy "base-uri 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests"
+
    <Directory /var/www/html>
        Options FollowSymLinks
        AllowOverride All