]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 59fa881)
httpd: apply the same security headers on the captive portal instance as we do elsewhere
authorPeter Müller <peter.mueller@ipfire.org>
Mon, 12 Apr 2021 21:01:13 +0000 (23:01 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 14 Apr 2021 17:20:30 +0000 (17:20 +0000)
The Captive Portal should not be framed or leak sensitive detail via
Referrers either.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/httpd/vhosts.d/captive.conf patch | blob | blame | history

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index 629fa818021ad6299af8eaad582857eeb581f82c..51af6eac486a00f6599f722529bb99b7cc20c617 100644 (file)
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -11,6 +11,8 @@ Listen 1013
 
        Header always set X-Content-Type-Options nosniff
        Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+       Header always set Referrer-Policy strict-origin
+       Header always set X-Frame-Options sameorigin
 
        ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
        Alias /assets/ /srv/web/ipfire/html/captive/assets/
Peter's tree of IPFire 2.x