From 7b4085e4007a14c733f77dc275cece83a4e26d7c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 26 Dec 2020 12:21:41 +0100 Subject: [PATCH] use Content-Security-Policy instead of old X-Frame-Options --- roles/apache/templates/security.conf | 2 +- roles/apache/templates/ssl.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/apache/templates/security.conf b/roles/apache/templates/security.conf index adefdd8..9334c36 100644 --- a/roles/apache/templates/security.conf +++ b/roles/apache/templates/security.conf @@ -59,7 +59,7 @@ Header set X-Content-Type-Options: "nosniff" # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # -Header set X-Frame-Options: "sameorigin" +Header add Content-Security-Policy "frame-ancestors 'self'" # vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf index fd99e1f..5fa87c3 100644 --- a/roles/apache/templates/ssl.conf +++ b/roles/apache/templates/ssl.conf @@ -17,7 +17,7 @@ Header unset Strict-Transport-Security Header set Strict-Transport-Security "max-age=864000" # Make sure we load everything via HTTPS - Header set Content-Security-Policy "upgrade-insecure-requests" + Header add Content-Security-Policy "upgrade-insecure-requests" ######################################################### # SSL configuration below ############################### -- 2.30.2