* [Galene] HTTP security headers @ 2021-01-13 13:14 Michael Ströder 2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek 0 siblings, 1 reply; 3+ messages in thread From: Michael Ströder @ 2021-01-13 13:14 UTC (permalink / raw) To: galene HI! FWIW: Find below what I've added to my Apache reverse proxy config (sorry, long lines wrapped). Of course 'self' has to be tweaked in case you have a more complex URL routing. It seems to still work ;-). It has A+ rating [1]. Please comment if there's something wrong with that. Ciao, Michael. [1] https://securityheaders.com ------------------- bite here --------------- Header onsuccess unset Content-Security-Policy Header always set Content-Security-Policy "base-uri 'self'; child-src 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';" Header onsuccess unset Feature-Policy Header always set Feature-Policy "ambient-light-sensor 'none'; autoplay 'none'; accelerometer 'none'; camera 'self'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none'" Header onsuccess unset Permissions-Policy Header always set Permissions-Policy "accelerometer=(), camera=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(self), payment=(), usb=()" ^ permalink raw reply [flat|nested] 3+ messages in thread
* [Galene] Re: HTTP security headers 2021-01-13 13:14 [Galene] HTTP security headers Michael Ströder @ 2021-01-13 13:47 ` Juliusz Chroboczek 2021-01-13 15:55 ` Michael Ströder 0 siblings, 1 reply; 3+ messages in thread From: Juliusz Chroboczek @ 2021-01-13 13:47 UTC (permalink / raw) To: Michael Ströder; +Cc: galene > FWIW: Find below what I've added to my Apache reverse proxy config > (sorry, long lines wrapped). Of course 'self' has to be tweaked in case > you have a more complex URL routing. Any opinions from HTTP specialists? > It seems to still work ;-). On iPad too? I've needed to relax quite a bit the CSP header in order to humour Safari. Did you check if streaming from disk still works? -- Juliusz ^ permalink raw reply [flat|nested] 3+ messages in thread
* [Galene] Re: HTTP security headers 2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek @ 2021-01-13 15:55 ` Michael Ströder 0 siblings, 0 replies; 3+ messages in thread From: Michael Ströder @ 2021-01-13 15:55 UTC (permalink / raw) To: galene On 1/13/21 2:47 PM, Juliusz Chroboczek wrote: >> FWIW: Find below what I've added to my Apache reverse proxy config >> (sorry, long lines wrapped). Of course 'self' has to be tweaked in case >> you have a more complex URL routing. > > Any opinions from HTTP specialists? Tweaked stuff some more: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self'; Feature-Policy: ambient-light-sensor 'none'; autoplay 'self'; accelerometer 'none'; camera 'self'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none' Permissions-Policy: geolocation=(none), notifications=(none), push=(none), midi=(none), camera=(self), microphone=(self), speaker-selection=(self), device-info=(none), background-fetch=(none), background-sync=(none), bluetooth=(none), persistent-storage=(none), ambient-light-sensor=(none), accelerometer=(none), gyroscope=(none), magnetometer=(none), clipboard-read=(none), clipboard-write=(none), display-capture=(none), nfc=(none) Both Feature-Policy and Permissions-Policy are still experimental with the latter being the replacement for the former. Permissions-Policy for Media devices: https://w3c.github.io/permissions/#media-devices Permissions-Policy does not have wide support, only Chrome but not enabled by default: https://caniuse.com/permissions-policy Feature-Policy seems somewhat supported: https://caniuse.com/feature-policy >> It seems to still work ;-). > > On iPad too? I've needed to relax quite a bit the CSP header in order to > humour Safari. Do you have test devices? Then I'd send you a link for testing. > Did you check if streaming from disk still works? It works with Chromium. With my Firefox the MIME type cannot be viewed. Probably missing webm support? Ciao, Michael. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-13 15:55 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-13 13:14 [Galene] HTTP security headers Michael Ströder 2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek 2021-01-13 15:55 ` Michael Ströder
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox