ComputerBasForum

Hier tips en tricks

Je bent niet ingelogd.

#1 2019-11-10 23:52:57

Bas
Administrator
Geregistreerd: 2019-11-10
Posts: 79

Securityheaders in ssl.conf

Alle mogelijk denkbare headers die je redelijkerwijs nodig zou kunnen hebben staan hieronder.
Probeer ze zeker niet allemaal tegelijk aan te zetten want dan kom je er niet achter welke header een probleem geeft als je website het niet meer doet. Als je meer wilt weten over een specifieke header check wikipedia: https://en.wikipedia.org/wiki/List_of_H … der_fields

Als je Let's Encrypt gebruikt voor je SSL certificaat staat hier de conf file  /etc/letsencrypt/options-ssl-apache.conf
En in /etc/apache2/sites-enabled/000-default-le-ssl.conf  staat  Include /etc/letsencrypt/options-ssl-apache.conf

Om een nieuw configuratie bestand te gebruiken doe je dit:

sudo a2dissite 000-default-le-ssl.conf
sudo nano /etc/apache2/sites-available/computerbas.conf
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
DocumentRoot /var/www/computerbas
ServerName www.computerbas.nl
ServerAlias computerbas.nl
SSLUseStapling on
Include /etc/letsencrypt/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/computerbas.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/computerbas.nl/privkey.pem
</VirtualHost>
<Directory /var/www/computerbas>
    DirectoryIndex index.php
    AddType application/x-httpd-php .php
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
</IfModule>
sudo nano /etc/letsencrypt/ssl.conf
SSLEngine on
SSLHonorCipherOrder On
SSLCompression off
SSLUseStapling On
SSLOptions +StrictRequire
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA
SSLProtocol TLSv1.2
Protocols h2
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
SSLSessionTickets Off
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

Header always set Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Set-Cookie __Secure-sessionid=9876543210;Path=/;Secure;HttpOnly;SameSite=Strict
Header always set X-Xss-Protection '1; mode=block'
Header always set Referrer-Policy 'no-referrer'
Header always set X-Permitted-Cross-Domain-Policies 'master-only'
Header always set X-Download-Options 'noopen'
Header always set X-Powered-By ComputerBas
Header always set Expect-CT max-age=0
Header always set Expect-Staple 'max-age=31536000; includeSubDomains; preload'

#Kijk uit met de volgende settings of je website nog wel werkt!

Header always set Content-Security-Policy "default-src 'none'; require-sri-for script style; media-src 'self'; object-src 'none'; font-src 'self'; frame-ancestors 'none'; form-action 'none'; manifest-src 'self'; img-src data: 'self'; base-uri 'none'; style-src 'self'; child-src https://gadgets.buienradar.nl; connect-src 'self'; script-src https://www.computerbas.nl; block-all-mixed-content; upgrade-insecure-requests; "
Header always set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), midi=(),fullscreen=()"
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'; midi 'none';fullscreen 'none';speaker 'none'"

Header always set Access-Control-Allow-Origin https://computerbas.nl
Header always set Accept-Ranges bytes
Header always set Allow "GET, POST"
Header always set X-DNS-Prefetch-Control on
Header always set X-Robots-Tag none
Header always set Trailer Max-Forwards
Header always set Tk ?
Header always set X-UA-Compatible IE=edge
Header always set X-AspNet-Version ComputerBas
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Methods "POST, GET"
Header always set Access-Control-Allow-Headers "origin"
Header always set Access-Control-Request-Method "POST, GET"
Header always set Access-Control-Request-Headers "X-PINGOTHER, Content-Type"
Header always set Access-Control-Max-Age 3600
Header always set Access-Control-Expose-Headers: Content-Length

ExpiresActive On
ExpiresDefault "access plus 1 week"
SetEnv no-gzip 1


#Header always set Cache-Control "no-cache, no-store, must-revalidate"
#Header always set Transfer-Encoding "chunked; deflate; compress; gzip; identity;"
#Header always set Warning "1#Gaat het effe niet met je headers??"
#Header always set Computerbas "Welnee joh! Gaat prima!"
#Deze nog effe niet:
#
#disown-opener;
#prefetch-src;
#reflected-xss filter;
#SSLVerifyClient optional
#sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock;
#plugin-types;
#worker-src;
#navigate-to;
#report-to;
#deze niet meer:
#frame-src
#child-src
#report-uri
#referrer
sudo a2ensite computerbas.conf
sudo systemctl restart apache2

Laatst bewerkt door Bas (2019-12-19 12:51:55)

Offline

Forum footer

Powered by FluxBB 1.5.11