From: Peter Müller <peter.mueller@ipfire.org>
Date: Mon, 12 Apr 2021 21:01:13 +0000 (+0200)
Subject: httpd: apply the same security headers on the captive portal instance as we do elsewhere
X-Git-Tag: v2.25-core157~12^2~177
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10189aa197f4e4c4c8701a86912f516b611ebb36;p=ipfire-2.x.git

httpd: apply the same security headers on the captive portal instance as we do elsewhere

The Captive Portal should not be framed or leak sensitive detail via
Referrers either.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index 629fa81802..51af6eac48 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -11,6 +11,8 @@ Listen 1013
 
 	Header always set X-Content-Type-Options nosniff
 	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+	Header always set Referrer-Policy strict-origin
+	Header always set X-Frame-Options sameorigin
 
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/