webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-04 02:51:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

httpd: apply the same security headers on the captive portal instance as we do elsewhere

Browse Source 
The Captive Portal should not be framed or leak sensitive detail via
Referrers either.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller
2021-04-12 23:01:13 +02:00
committed by Michael Tremer
parent 59fa881ea7
commit 10189aa197
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/httpd/vhosts.d/captive.conf
View File

@@ -11,6 +11,8 @@ Listen 1013
Header always set X-Content-Type-Options nosniff Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
Header always set Referrer-Policy strict-origin
Header always set X-Frame-Options sameorigin
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/ ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
Alias /assets/ /srv/web/ipfire/html/captive/assets/ Alias /assets/ /srv/web/ipfire/html/captive/assets/