[3/4] httpd: apply the same security headers on the captive portal instance as we do elsewhere
Commit Message
The Captive Portal should not be framed or leak sensitive detail via
Referrers either.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/httpd/vhosts.d/captive.conf | 2 ++
1 file changed, 2 insertions(+)
@@ -11,6 +11,8 @@ Listen 1013
Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+ Header always set Referrer-Policy strict-origin
+ Header always set X-Frame-Options sameorigin
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
Alias /assets/ /srv/web/ipfire/html/captive/assets/