1.Create the paths for the includes if they do not already exist.
# mkdir -p /etc/apache2/conf.d/userdata/std/2_4/USER/example.tld/
# mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/USER/example.tld/
2.Create a .conf file and place it in either /etc/apache2/conf.d/userdata/ssl/2_4/USER/ to be loaded for all domains under the user, or you can create a .conf file for just one domain by creating the domains folder under that user and place the .conf file in that folder. In this example, the .conf file will be for headers.conf. The files then created would be uniquely named something like such as the following:
# /etc/apache2/conf.d/userdata/ssl/2_4/USER/DOMAIN.com/headers.conf
# /etc/apache2/conf.d/userdata/std/2_4/USER/DOMAIN.com/headers.conf
- In each file, put the following content:
CONFIG_TEXT: # Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options "nosniff"
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
# Add CORS-Header
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET"
# HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Clickjack Attack
Header always set X-Frame-Options "SAMEORIGIN"
# X-Xss-Protection
Header always set X-Xss-Protection "1; mode=block"
# Header Injection
Header unset X-Forwarded-Host
</IfModule>
ProxyAddHeaders Off
- If you need to make POST requests to other domains, the allowed methods will need to include POST like the following example:
CONFIG_TEXT: Header set Access-Control-Allow-Methods "GET, POST"
- Rebuild
httpd.conf, to add the includes:
# /scripts/rebuildhttpdconf
- Restart Apache, so the new configuration is loaded:
# /scripts/restartsrv_httpd
Comments
0 comments
Article is closed for comments.