C3rd

We've been dealing with our servers and systems security audit. One thing I need to achieve is getting an A score in our security headers. So far I got "A" and if you are achieving the same goal, here's the steps: Go to /etc/apache2/conf-available and edit security.conf then at the bottom of the file, add the following below:

#
# to apply this settings, you must enable apache headers first...
# e.g.: a2enmod headers
#
# headers customised by camilo3rd | 2018-03-22 ---- [start]
#
Header unset Content-Security-Policy
#Header add Content-Security-Policy "default-src 'self'"
Header add Content-Security-Policy "default-src * 'self'; img-src * 'self' data: 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://www.abcs.co.nz/violationReportForCSP.php;"

Header unset X-Content-Security-Policy
#Header add X-Content-Security-Policy "default-src 'self'"
Header add X-Content-Security-Policy "default-src * 'self'; img-src * 'self' data: 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval';"

Header unset X-WebKit-CSP
#Header add X-WebKit-CSP "default-src 'self'"
Header add  X-WebKit-CSP "default-src * 'self'; img-src * 'self' data: 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval';"
Header always set Referrer-Policy "same-origin"

Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
#Header set X-Frame-Options "DENY"
Header set X-Frame-Options SAMEORIGIN
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
#
# headers customised by camilo3rd | 2018-03-22 ---- [end]
#

Then save.. Restart your apache and that's it. You should get an A score. To understand those statements above especially the values, please refer to:

• https://developers.google.com/web/fundamentals/security/csp/
• https://content-security-policy.com/

• Home
• Downloads

• Uncategorized
• Personal
  • Madness
  • Wooow!
  • Learn New Things
  • Food and Beverages
  • Love and Pain
  • Wonder
• Info.Tech
  • Web Development
  • Software Development
  • Administration
  • Operating Systems
  • Computer Hardware
  • Apple Products
  • Project Management
  • Experimentals
  • Mobile Development
  • Security Concerns
• People
  • Celebrities
  • Friends
  • History
• Funstuff
  • Sports
  • Entertainment
  • Photo Gallery
• Death
• Apple Stuff
  • iMac Troubleshooting

• Apache Web Server
• ASP Immigration Services Ltd.
• CentOS Linux
• Color Scheme Picker
• CSS Button Generator
• Deviant Art Account
• Don Tabaniag - GraphiCult
• Jerson Maglasang Weblog
• Joshua Manlunas
• Mark "mungkey" Vicente
• Matt Arnilo Baluyos
• MySQL
• Paul Labis
• PHP
• PrendStar
• Ridvan Baluyos
• Scott Davies
• SEO Fart XML-RPC Ping Tool
• Stripes Generator
• The Hero
• Ubuntu Linux
• Vim Carlo Nabora (DA)
• Wella Maria Hong
• What is my IP?
• Xavier University - Ateneo de Cagayan
• Zabyer Community