Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.
This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
KeepAlive Off
Header always set X-Content-Type-Options nosniff
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
Alias /assets/ /srv/web/ipfire/html/captive/assets/
SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
Header always set X-Content-Type-Options nosniff
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
<Directory /srv/web/ipfire/html>
Options ExecCGI
RewriteRule .* - [F]
Header always set X-Content-Type-Options nosniff
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
<Directory /srv/web/ipfire/html>
Options ExecCGI