We should consider enabling them (uncomment them) by default. There are probably other headers we should consider including, although they probably should remain commented out.
Re the above mentioned headers, there are a few other tweaks that we probably should make:
use SAMEORIGIN rather than sameorigin - whilst lowercase should work, most docs I've come across have it uppercase so best to be consistent with that
remove colons - again it should work, but again docs don't note it
above the line to enable it, add the line Header onsuccess unset ... - that will explicitly disable it first, before setting it. That will ensure that it isn't set twice. This is quite important as some PHP apps set it themselves (e.g. Nextcloud) and/or it may be set within an .htaccess file.
prefix always to ensure that it is always applied.
I.e. they should look like this:
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
and
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
I note that the config for the "X-Frame-Options" & "X-Content-Type-Options" headers are already included in
/etc/apache2/conf-available/security.conf(lines 74 & [67])https://github.com/turnkeylinux/common/blob/18.x/overlays/apache/etc/apache2/conf-available/security.conf#L67) respectively). However they are commented out by default.We should consider enabling them (uncomment them) by default. There are probably other headers we should consider including, although they probably should remain commented out.
Re the above mentioned headers, there are a few other tweaks that we probably should make:
SAMEORIGINrather thansameorigin- whilst lowercase should work, most docs I've come across have it uppercase so best to be consistent with thatHeader onsuccess unset ...- that will explicitly disable it first, before setting it. That will ensure that it isn't set twice. This is quite important as some PHP apps set it themselves (e.g. Nextcloud) and/or it may be set within an.htaccessfile.alwaysto ensure that it is always applied.I.e. they should look like this:
and
refs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Following Nextcloud's lead there are probably some other headers we could include (but probably commented out):
More refs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers https://owasp.org/www-project-secure-headers/ https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html https://www.darkrelay.com/post/http-security-headers https://www.sentrium.co.uk/labs/application-security-101-http-headers https://htaccessbook.com/important-security-headers/