28 lines
972 B
ApacheConf
28 lines
972 B
ApacheConf
# Security Headers
|
|
Header always set X-Content-Type-Options nosniff
|
|
Header always set X-Frame-Options DENY
|
|
Header always set X-XSS-Protection "1; mode=block"
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; script-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self';"
|
|
|
|
# Disable server signature
|
|
ServerTokens Prod
|
|
ServerSignature Off
|
|
|
|
# Prevent access to sensitive files
|
|
<Files ~ "^\.">
|
|
Order allow,deny
|
|
Deny from all
|
|
</Files>
|
|
|
|
# Prevent access to backup files
|
|
<FilesMatch "\.(bak|backup|old|tmp)$">
|
|
Order allow,deny
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# Enable HTTPS redirect (uncomment when using HTTPS)
|
|
# RewriteEngine On
|
|
# RewriteCond %{HTTPS} off
|
|
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|