diff mbox series

[3/4] httpd: apply the same security headers on the captive portal instance as we do elsewhere

Message ID 5251bce1-49af-64e5-a858-5e33210d9e6b@ipfire.org
State Accepted
Commit 10189aa197f4e4c4c8701a86912f516b611ebb36
Headers
Series [1/4] httpd: remove compatibility instructions for very old browsers |

Commit Message

Peter Müller April 12, 2021, 9:01 p.m. UTC 
  The Captive Portal should not be framed or leak sensitive detail via
Referrers either.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/httpd/vhosts.d/captive.conf | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index 629fa8180..51af6eac4 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -11,6 +11,8 @@  Listen 1013
 
 	Header always set X-Content-Type-Options nosniff
 	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+	Header always set Referrer-Policy strict-origin
+	Header always set X-Frame-Options sameorigin
 
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/