From 0cabaf35c2435a653928e46ddcfba5da3fc3e215 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sun, 3 Dec 2017 18:10:47 +0100 Subject: [PATCH] prevent IE from interpreting HTML MIME type MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Add X-Content-Type-Options header to prevent Internet Explorer from interpreting the MIME type of a server answer on its own, which could lead to security risks. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/httpd/vhosts.d/captive.conf | 2 ++ config/httpd/vhosts.d/ipfire-interface-ssl.conf | 4 ++++ config/httpd/vhosts.d/ipfire-interface.conf | 2 ++ 3 files changed, 8 insertions(+) diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf index e4e1d78f1c..e71a26081e 100644 --- a/config/httpd/vhosts.d/captive.conf +++ b/config/httpd/vhosts.d/captive.conf @@ -9,6 +9,8 @@ Listen 1013 # code was entered. KeepAlive Off + Header always set X-Content-Type-Options nosniff + ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/ Alias /assets/ /srv/web/ipfire/html/captive/assets/ diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index dacf6a005f..c5d8ffba9e 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -3,10 +3,12 @@ RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS) RewriteRule .* - [F] + DocumentRoot /srv/web/ipfire/html ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log + SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA @@ -18,6 +20,8 @@ SSLCertificateFile /etc/httpd/server-ecdsa.crt SSLCertificateKeyFile /etc/httpd/server-ecdsa.key + Header always set X-Content-Type-Options nosniff + Options ExecCGI AllowOverride None diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index be15cd041c..5c7ddc7197 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -6,6 +6,8 @@ RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS) RewriteRule .* - [F] + Header always set X-Content-Type-Options nosniff + Options ExecCGI AllowOverride None -- 2.39.2