Package: apache2 Version: 2.4.52 Severity: normal Tags: patch Debian Apache Maintainers,
The attached patch improves security.conf (last updated Jun 24, 2015) in the following ways: * Change Subversion example to git and improve it * Change obsolete X-Frame-Options to Content-Security-Policy * Add reference URLs to comments * Change indentation from spaces to tabs Thank you! Daniel Lewart Urbana, Illinois
diff -ru a/debian/config-dir/conf-available/security.conf b/debian/config-dir/conf-available/security.conf --- a/debian/config-dir/conf-available/security.conf 2021-12-29 00:35:53.000000000 -0600 +++ b/debian/config-dir/conf-available/security.conf 2022-03-08 00:00:00.000000000 -0600 @@ -6,8 +6,8 @@ # Debian packages. # #<Directory /> -# AllowOverride None -# Require all denied +# AllowOverride None +# Require all denied #</Directory> @@ -21,6 +21,7 @@ # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. +# https://httpd.apache.org/docs/2.4/mod/core.html#servertokens #ServerTokens Minimal ServerTokens OS #ServerTokens Full @@ -32,6 +33,7 @@ # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail +# https://httpd.apache.org/docs/2.4/mod/core.html#serversignature #ServerSignature Off ServerSignature On @@ -42,6 +44,7 @@ # diagnostic purposes). # # Set to one of: On | Off | extended +# https://httpd.apache.org/docs/2.4/mod/core.html#traceenable TraceEnable Off #TraceEnable On @@ -49,16 +52,15 @@ # Forbid access to version control directories # # If you use version control systems in your document root, you should -# probably deny access to their directories. For example, for subversion: +# probably deny access to their directories. For example, for git: # -#<DirectoryMatch "/\.svn"> -# Require all denied -#</DirectoryMatch> +#RedirectMatch 404 /\.git # # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options # #Header set X-Content-Type-Options: "nosniff" @@ -66,8 +68,9 @@ # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors # -#Header set X-Frame-Options: "sameorigin" +#Header set Content-Security-Policy "frame-ancestors 'self';" # vim: syntax=apache ts=4 sw=4 sts=4 sr noet