From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id 66B457CAA35 for ; Wed, 13 Jan 2021 14:14:16 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=KlxzuMsm DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1610543654; bh=RFQ5kVcWKebEnLkjdhKxM8nQHqIOxkA6B/Gai2MahBc=; h=To:From:Subject:Date:From; b=KlxzuMsmfhSHqXGnWvqYc/UAwqPoxNhcky7mVK9ybQ+kC5dV6WyWiVzUd9pJcK6Fe raULFrJLWQNJZqG2563l6z2ZpZxyUdo6ouIVWyQcRLTtpCkwMSBIms+ORFYBXoxLv/ QqvLOeo2KZhdimq392+viKaZUsgo27b7XJAHcDNIi/MZfnLqAxm9eDas7Bo/S5zHXq HQCKo9fS6JeToIx4HoNyOcHTSnXSx8xVQI/BCT3lKgpY1YgXjeYDShi/hfv To: galene@lists.galene.org From: =?UTF-8?Q?Michael_Str=c3=b6der?= Message-ID: <07523639-ddbe-0c35-0c83-56cbd3ab8ea8@stroeder.com> Date: Wed, 13 Jan 2021 14:14:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Message-ID-Hash: N5656Z4PFJVSUOY24IAMNHS4CLZ3BLWA X-Message-ID-Hash: N5656Z4PFJVSUOY24IAMNHS4CLZ3BLWA X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] HTTP security headers List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: HI! FWIW: Find below what I've added to my Apache reverse proxy config (sorry, long lines wrapped). Of course 'self' has to be tweaked in case you have a more complex URL routing. It seems to still work ;-). It has A+ rating [1]. Please comment if there's something wrong with that. Ciao, Michael. [1] https://securityheaders.com ------------------- bite here --------------- Header onsuccess unset Content-Security-Policy Header always set Content-Security-Policy "base-uri 'self'; child-src 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';" Header onsuccess unset Feature-Policy Header always set Feature-Policy "ambient-light-sensor 'none'; autoplay 'none'; accelerometer 'none'; camera 'self'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none'" Header onsuccess unset Permissions-Policy Header always set Permissions-Policy "accelerometer=3D(), camera=3D(sel= f), geolocation=3D(), gyroscope=3D(), magnetometer=3D(), microphone=3D(self), payment=3D(), usb=3D()"