Skip to content

Commit 879ec46

Browse files
JedMeisterJedMeister
committed
Sync apache security.conf with default from 'apache2' pkg and reapply TKL mods
1 parent 783a7c0 commit 879ec46

1 file changed

Lines changed: 13 additions & 19 deletions

File tree

overlays/apache/etc/apache2/conf-available/security.conf

Lines changed: 13 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,13 @@
1-
#
21
# Disable access to the entire file system except for the directories that
32
# are explicitly allowed later.
43
#
5-
# This currently breaks the configurations that come with some web application
6-
# Debian packages.
4+
# This currently breaks some web app configurations
75
#
86
#<Directory />
97
# AllowOverride None
108
# Require all denied
119
#</Directory>
1210

13-
1411
# Changing the following options will not really affect the security of the
1512
# server, but might make attacks slightly more difficult in some cases.
1613

@@ -21,9 +18,6 @@
2118
# and compiled in modules.
2219
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
2320
# where Full conveys the most information, and Prod the least.
24-
#ServerTokens Minimal
25-
#ServerTokens OS
26-
#ServerTokens Full
2721
ServerTokens Prod
2822

2923
#
@@ -34,7 +28,6 @@ ServerTokens Prod
3428
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
3529
# Set to one of: On | Off | EMail
3630
ServerSignature Off
37-
#ServerSignature On
3831

3932
#
4033
# Allow TRACE method
@@ -44,34 +37,35 @@ ServerSignature Off
4437
#
4538
# Set to one of: On | Off | extended
4639
TraceEnable Off
47-
#TraceEnable On
4840

4941
#
5042
# Forbid access to version control directories
5143
#
5244
# If you use version control systems in your document root, you should
53-
# probably deny access to their directories. For example, for subversion:
45+
# probably deny access to their directories.
46+
#
47+
# Examples:
5448
#
55-
<DirectoryMatch "/\.svn">
56-
Require all denied
57-
</DirectoryMatch>
58-
<DirectoryMatch "/\.git">
59-
Require all denied
60-
</DirectoryMatch>
49+
#RedirectMatch 404 /\.git
50+
#RedirectMatch 404 /\.svn
51+
52+
# Forbid acccess to any/all dot files/dirs
53+
RedirectMatch 404 "/\."
54+
# Note this will also deny access to .well-known so needs to be disabled if
55+
# using non-TurnKey Let's Encrypt tool - e.g. certbot
6156

6257
#
6358
# Setting this header will prevent MSIE from interpreting files as something
6459
# else than declared by the content type in the HTTP headers.
6560
# Requires mod_headers to be enabled.
6661
#
67-
#Header set X-Content-Type-Options: "nosniff"
62+
Header set X-Content-Type-Options: "nosniff"
6863

6964
#
7065
# Setting this header will prevent other sites from embedding pages from this
7166
# site as frames. This defends against clickjacking attacks.
7267
# Requires mod_headers to be enabled.
73-
#
74-
#Header set X-Frame-Options: "sameorigin"
7568

69+
Header set Content-Security-Policy "frame-ancestors 'self';"
7670

7771
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

0 commit comments

Comments
 (0)