### Security configuration of docker httpd ### including security headers and file accesses for ### https://github.com/KazKobara/dockerfile_fswiki_local ### Security Headers ## Against Signature ServerTokens Prod ServerSignature Off ## Against Clickjacking # Header set X-Frame-Options SAMEORIGIN Header always append X-Frame-Options DENY ## Against XSS Header always set X-Content-Type-Options nosniff ## Against XST TraceEnable Off ## CSP (Content Security Policy) ## ## NOTE: If different CSPs are set or added multiple times, ## only the most strict policy seems to be set on certain environments, ## such as httpd 2.4.52 of alpine and ubuntu. ## In such cases, set the recommended CSP once here. ## ## CSP Hashes (-) of can be calculated by: ## $ echo -n '' | openssl sha256 -binary | openssl base64 ## ###### Recommended CSP (Strict Setting): ####### ## The two CSP hash values in the script-src correspond to ## the following diffview's scripts: ## 'sha256-7yauwBOy1wbSK3qiAwLRNJJdhRqtqzgtLClTapOB/4A=' ## 'diffUsingJS(1);' in ./theme/resources/diff.js ## 'sha256-BbejOj1mgweHq0Bq0xbe0JxDKZHGdgx+vU7h23Rb3ms=' ## 'document.getElementById("viewtype").addEventListener("click",function(){diffUsingJS(this.checked?0:1);});' ## in the 'plugin/core/Diff.pm' (v3.6.5 + Diff.pm.patch) # Header always set Content-Security-Policy "default-src 'self'; object-src 'none'; child-src 'none'; style-src 'self'; script-src 'self' 'sha256-BbejOj1mgweHq0Bq0xbe0JxDKZHGdgx+vU7h23Rb3ms=' 'sha256-7yauwBOy1wbSK3qiAwLRNJJdhRqtqzgtLClTapOB/4A=';" ### Next-recommended CSP (Relaxation for 'text-align' and MathJax): ### ## This example allows: ## - inline style 'text-align' in table-cell boxes generated by ## Discount markdown invoked by ./plugin/markdown/Markdown.pm ## (while ideal solution is to modify the Discount markdown ## not to use inline styles) ## with 'unsafe-hashes' and the following hash values: ## 'sha256-BBOGexNnujshehIQ4WlkijzyT1OZDSFMwde8dE1r6DE=' ## for 'text-align:left;' ## 'sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=' ## for 'text-align:center;' ## 'sha256-m3XTiIF20AAl/JoLbhZCLpVDCCo+QhhIqpqq9SZ30Dk=' ## for 'text-align:right;' ## - scripts and styles used for MathJax by adding: ## https://cdn.jsdelivr.net/npm/mathjax@3/es5 ## ## To relax further for MathJax on Chrome 99 and Edge 99, ## and only reliable entities use the Web pages, ## add the following in the "style-src". ## 'unsafe-inline' \ ## https://cdn.jsdelivr.net/npm/mathjax@3/es5/ \ ## ## Cf. https://github.com/KazKobara/kati_dark/blob/main/docs/markdown/markdown_plugin_for_fswiki.md ## for more details (thought it is in Japanese). ## ## Uncomment the following lines from 'Header' to '"' if they are commented out. Header always set Content-Security-Policy " default-src 'self'; \ object-src 'none'; child-src 'none' ;\ style-src 'self' \ 'unsafe-hashes' \ 'sha256-BBOGexNnujshehIQ4WlkijzyT1OZDSFMwde8dE1r6DE=' \ 'sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=' \ 'sha256-m3XTiIF20AAl/JoLbhZCLpVDCCo+QhhIqpqq9SZ30Dk=' \ ;\ script-src 'self' \ https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js \ 'sha256-BbejOj1mgweHq0Bq0xbe0JxDKZHGdgx+vU7h23Rb3ms=' \ 'sha256-7yauwBOy1wbSK3qiAwLRNJJdhRqtqzgtLClTapOB/4A=' \ ;\ font-src 'self' \ https://cdn.jsdelivr.net/npm/mathjax@3/es5/output/chtml/fonts/ \ ;\ " ### File Access deny from all ### Directory Specific Configuration ### for File Access and Security Headers allow from all # Reset parent settings except 'theme' deny from all deny from all # Reset parent settings, then allow from all ## NOTE: If different CSPs are set or added multiple times, ## only the most strict policy seems to be set on certain environments, ## such as httpd 2.4.52 of alpine and ubuntu. ## In such cases, set the above recommended CSP once. allow from all