From 10189aa197f4e4c4c8701a86912f516b611ebb36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= <peter.mueller@ipfire.org>
Date: Mon, 12 Apr 2021 23:01:13 +0200
Subject: [PATCH] httpd: apply the same security headers on the captive portal
 instance as we do elsewhere
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Captive Portal should not be framed or leak sensitive detail via
Referrers either.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/httpd/vhosts.d/captive.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index 629fa8180..51af6eac4 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -11,6 +11,8 @@ Listen 1013
 
 	Header always set X-Content-Type-Options nosniff
 	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+	Header always set Referrer-Policy strict-origin
+	Header always set X-Frame-Options sameorigin
 
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/