chris-carneiro · August 9, 2017 09:15
diff --git a/httpd.conf b/httpd.conf
   ######## Security ########
   
   ## Silents ServerSignature response
   ServerSignature Off
   ServerTokens Prod

 <IfModule mod_headers.c>
    ## Forces httpOnly and Secure Cookies - Mitigate XSS Attacks
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

    ## Forces Iframes to come from the same site
    Header set X-Frame-Options SAMEORIGIN

    ## Protects against XSS Attacks
    Header set X-XSS-Protection "1;mode=block"

    ## Prevents MIME type risk attacks
    Header set X-Content-Type-Options nosniff

    ## Prevents XSS, clickjacking, code injection NOT SUPPORTED
    # Header set Content-Security-Policy "default-src 'self';"

    ## Minimizes Server response header
    Header unset Server
    
    ## Cache control recommended by OWASP. - Mitigate Cache poisoning attacks
    ## May only be cached in private cache, may not be cached
    ## may be cached but not archived
    ## The cache must verify the status of the stale resources before using it and expired ones should not be used.
    ## (only applies to shared caches)
    ## No transformations or conversions should be made to the resource.
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    
    ## Forces caches to submit the request to the origin server for validation before releasing a cached copy.
    Header set Pragma "no-cache"
 </IfModule>

 ## Disables Trace Request method
 TraceEnable off

 <Directory "/path/to/directory"> 
    # Indexes was removed to prevent browsing
    Options FollowSymLinks
    
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
 </Directory>
	######## Security ########

	## Silents ServerSignature response
	ServerSignature Off
	ServerTokens Prod

	<IfModule mod_headers.c>
	## Forces httpOnly and Secure Cookies - Mitigate XSS Attacks
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

	## Forces Iframes to come from the same site
	Header set X-Frame-Options SAMEORIGIN

	## Protects against XSS Attacks
	Header set X-XSS-Protection "1;mode=block"

	## Prevents MIME type risk attacks
	Header set X-Content-Type-Options nosniff

	## Prevents XSS, clickjacking, code injection NOT SUPPORTED
	# Header set Content-Security-Policy "default-src 'self';"

	## Minimizes Server response header
	Header unset Server

	## Cache control recommended by OWASP. - Mitigate Cache poisoning attacks
	## May only be cached in private cache, may not be cached
	## may be cached but not archived
	## The cache must verify the status of the stale resources before using it and expired ones should not be used.
	## (only applies to shared caches)
	## No transformations or conversions should be made to the resource.
	Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"

	## Forces caches to submit the request to the origin server for validation before releasing a cached copy.
	Header set Pragma "no-cache"
	</IfModule>

	## Disables Trace Request method
	TraceEnable off

	<Directory "/path/to/directory">
	# Indexes was removed to prevent browsing
	Options FollowSymLinks

	#
	# AllowOverride controls what directives may be placed in .htaccess files.
	# It can be "All", "None", or any combination of the keywords:
	# Options FileInfo AuthConfig Limit
	#
	AllowOverride All

	#
	# Controls who can get stuff from this server.
	#
	Require all granted
	</Directory>