mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-12 04:05:53 +02:00
eb6d71514a
Make Apache transmit a CSP (Content Security Policy) header for WebUI and Captive Portal contents. This prevents some XSS and content injection attacks, especially in case no transport encryption (Captive Portal!) can be used. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
44 lines
1.3 KiB
Plaintext
44 lines
1.3 KiB
Plaintext
<VirtualHost *:81>
|
|
|
|
DocumentRoot /srv/web/ipfire/html
|
|
|
|
RewriteEngine on
|
|
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
|
|
RewriteRule .* - [F]
|
|
|
|
Header always set X-Content-Type-Options nosniff
|
|
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
|
|
|
|
<Directory /srv/web/ipfire/html>
|
|
Options ExecCGI
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
|
|
Options SymLinksIfOwnerMatch
|
|
RewriteEngine on
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
|
|
</DirectoryMatch>
|
|
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
|
|
<Directory /srv/web/ipfire/cgi-bin>
|
|
Options SymLinksIfOwnerMatch
|
|
RewriteEngine on
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
|
|
</Directory>
|
|
Alias /updatecache/ /var/updatecache/
|
|
<Directory /var/updatecache>
|
|
Options ExecCGI
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
Alias /repository/ /var/urlrepo/
|
|
<Directory /var/urlrepo>
|
|
Options ExecCGI
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
|
|
</VirtualHost>
|