C3rd

We've been dealing with our servers and systems security audit. One thing I need to achieve is getting an A score in our security headers. So far I got "A" and if you are achieving the same goal, here's the steps: Go to /etc/apache2/conf-available and edit security.conf then at the bottom of the file, add the following below:

#
# to apply this settings, you must enable apache headers first...
# e.g.: a2enmod headers
#
# headers customised by camilo3rd | 2018-03-22 ---- [start]
#
Header unset Content-Security-Policy
#Header add Content-Security-Policy "default-src 'self'"
Header add Content-Security-Policy "default-src * 'self'; img-src * 'self' data: 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://www.abcs.co.nz/violationReportForCSP.php;"

Header unset X-Content-Security-Policy
#Header add X-Content-Security-Policy "default-src 'self'"
Header add X-Content-Security-Policy "default-src * 'self'; img-src * 'self' data: 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval';"

Header unset X-WebKit-CSP
#Header add X-WebKit-CSP "default-src 'self'"
Header add  X-WebKit-CSP "default-src * 'self'; img-src * 'self' data: 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval';"
Header always set Referrer-Policy "same-origin"

Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
#Header set X-Frame-Options "DENY"
Header set X-Frame-Options SAMEORIGIN
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
#
# headers customised by camilo3rd | 2018-03-22 ---- [end]
#

Then save.. Restart your apache and that's it. You should get an A score. To understand those statements above especially the values, please refer to:

• https://developers.google.com/web/fundamentals/security/csp/
• https://content-security-policy.com/