mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-19 23:43:00 +02:00
eb6d71514a
Make Apache transmit a CSP (Content Security Policy) header for WebUI and Captive Portal contents. This prevents some XSS and content injection attacks, especially in case no transport encryption (Captive Portal!) can be used. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
34 lines
1.0 KiB
Plaintext
34 lines
1.0 KiB
Plaintext
Listen 1013
|
|
|
|
<VirtualHost *:1013>
|
|
DocumentRoot /srv/web/ipfire/html/captive
|
|
|
|
# Close all connections as soon as a reply has been sent.
|
|
# Most browsers open loads of connections which then causes
|
|
# the access page being loaded again after a correct coupon
|
|
# code was entered.
|
|
KeepAlive Off
|
|
|
|
Header always set X-Content-Type-Options nosniff
|
|
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
|
|
|
|
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
|
|
Alias /assets/ /srv/web/ipfire/html/captive/assets/
|
|
|
|
Alias /favicon.ico /srv/web/ipfire/html/captive/assets/favicon.ico
|
|
|
|
# All unknown URIs will be redirected to the first
|
|
# redirector script.
|
|
ScriptAliasMatch .* /srv/web/ipfire/cgi-bin/captive/redirect.cgi
|
|
|
|
<Directory /srv/web/ipfire/cgi-bin/captive>
|
|
Options ExecCGI
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<Directory /srv/web/ipfire/html/captive>
|
|
Options +FollowSymlinks
|
|
Require all granted
|
|
</Directory>
|
|
</VirtualHost>
|