From b19d61c0d43c07c10542a4c13347c461f51faf85 Mon Sep 17 00:00:00 2001
From: "Hahn Axel (hahn)" <axel.hahn@unibe.ch>
Date: Fri, 10 Nov 2023 15:44:38 +0100
Subject: [PATCH] add security headers

---
 docker/templates/vhost_app.conf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docker/templates/vhost_app.conf b/docker/templates/vhost_app.conf
index ae25f2f..eecb318 100644
--- a/docker/templates/vhost_app.conf
+++ b/docker/templates/vhost_app.conf
@@ -15,4 +15,16 @@
     Require all denied
   </Location>
 
+  # security headers
+
+  Header unset X-Powered-By
+
+  Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+
+  Header set X-Frame-Options "SAMEORIGIN"
+  Header set X-Content-Type-Options "nosniff"
+  Header set X-XSS-Protection "1; mode=block"
+  Header set Feature-Policy "sync-xhr 'self'"
+  Header set Referrer-Policy "strict-origin-when-cross-origin"
+
 </VirtualHost>
\ No newline at end of file
-- 
GitLab