prevent IE from interpreting HTML MIME type
Commit Message
Add X-Content-Type-Options header to prevent Internet Explorer
from interpreting the MIME type of a server answer on its own,
which could lead to security risks.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/httpd/vhosts.d/captive.conf | 2 ++
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 4 ++++
config/httpd/vhosts.d/ipfire-interface.conf | 2 ++
3 files changed, 8 insertions(+)
@@ -9,6 +9,8 @@ Listen 1013
# code was entered.
KeepAlive Off
+ Header always set X-Content-Type-Options nosniff
+
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
Alias /assets/ /srv/web/ipfire/html/captive/assets/
@@ -3,10 +3,12 @@
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
+
DocumentRoot /srv/web/ipfire/html
ServerAdmin root@localhost
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
+
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
@@ -18,6 +20,8 @@
SSLCertificateFile /etc/httpd/server-ecdsa.crt
SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+ Header always set X-Content-Type-Options nosniff
+
<Directory /srv/web/ipfire/html>
Options ExecCGI
AllowOverride None
@@ -6,6 +6,8 @@
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
+ Header always set X-Content-Type-Options nosniff
+
<Directory /srv/web/ipfire/html>
Options ExecCGI
AllowOverride None