From 583687a88d263b68b4fdb27e78a7b65120d21088 Mon Sep 17 00:00:00 2001 From: "peter.mueller@ipfire.org" Date: Mon, 4 Nov 2019 18:52:00 +0000 Subject: [PATCH] Apache: prevent Referrer leaks via WebUI MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit By default, even modern browsers sent the URL of ther originating site to another one when accessing hyperlinks. This is an information leak and may expose internal details (such as FQDN or IP address) of an IPFire installation to a third party. Signed-off-by: Peter Müller Acked-by: Michael Tremer Signed-off-by: Arne Fitzenreiter --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 + config/httpd/vhosts.d/ipfire-interface.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 2009184bb9..dc11511103 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -22,6 +22,7 @@ Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + Header always set Referrer-Policy strict-origin Options ExecCGI diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index b709944047..d95fa264ff 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -8,6 +8,7 @@ Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + Header always set Referrer-Policy strict-origin Options ExecCGI -- 2.39.5