Hello,
I've upgraded my csp policy to v2 setup. My server is now being
contrary, ie11 is working just fine, letting me log in to roundcube
and deal with email sending. Chrome and Firefox are both hanging at
the login screen, with no errors. Whenever I comment out the loading
of this file things start working. Is there something in this file
that is notably wrong/misconfigured?
Also, when using roundcube and modsecurity 2.9.x are there any gochas
or things that need to be specially configured?
Thanks.
Dave.
#
# httpd-security.conf:
# Security hardening settings
#
# Disable ETag
# FileETag None doesn't work in all cases.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
# Unset the server
Header unset Server
# Disable Trace http requests
TraceEnable off
# Set cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
#Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS)
#Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks
# Enforce MIME types for script and style elements
Header always set X-Content-Type-Options nosniff
# Content-Security-Policy
#Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"
# Enable Content Security Policy (Level 2)
Header always set Content-Security-Policy "default-src 'none'; img-src
'self'; style-src 'self'; font-src 'self'; base-uri 'none';
frame-ancestors 'none'; form-action 'none'"
# Disable Referrer which isn't needed when you don't use authentication
#Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"
# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy
#Header always set Referrer-Policy "strict-origin"
# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'
# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" env=HTTPS
# unset the server powered by header
Header unset X-Powered-By
Header always unset X-Powered-By
# Disable HTTP 1.0 protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# For mod security
#<IfModule security3_module>
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
#Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
#</IfModule>
# mod_evasive
#<IfModule mod_evasive20.c>
#DOSHashTableSize 3097
#DOSPageCount 2
#DOSSiteCount 50
#DOSPageInterval 1
#DOSSiteInterval 1
#DOSBlockingPeriod 60
#DOSEmailNotify [email protected]
#DOSWhitelist 127.0.0.1
#DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
#</IfModule>
# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# Allow cross-origin access to web fonts.
#
# https://developers.google.com/fonts/docs/troubleshooting
<IfModule mod_headers.c>
<FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
<IfModule mod_mime.c>
# Data interchange
AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/rss+xml rss
AddType application/geo+json geojson
AddType application/rdf+xml rdf
AddType application/xml xml
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
AddType text/javascript js mjs
# Manifest files
AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache
# Media files
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/bmp bmp
AddType image/svg+xml svg svgz
AddType image/webp webp
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying them as images:
#
https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
AddType image/x-icon cur ico
# WebAssembly
AddType application/wasm wasm
# Web fonts
AddType font/woff woff
AddType font/woff2 woff2
AddType application/vnd.ms-fontobject eot
AddType font/ttf ttf
AddType font/collection ttc
AddType font/otf otf
# Other
AddType application/octet-stream safariextz
AddType application/x-bb-appworld bbaw
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType text/calendar ics
AddType text/markdown markdown md
AddType text/vcard vcard vcf
AddType text/vnd.rim.location.xloc xloc
AddType text/vtt vtt
AddType text/x-component htc
</IfModule>
# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
AddDefaultCharset utf-8
# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
<IfModule mod_mime.c>
AddCharset utf-8 .appcache \
.bbaw \
.css \
.htc \
.ics \
.js \
.json \
.manifest \
.map \
.markdown \
.md \
.mjs \
.topojson \
.vtt \
.vcard \
.vcf \
.webmanifest \
.xloc
</IfModule>
# Block access to directories without a default document.
#
# You should leave the following uncommented, as you shouldn't allow
# anyone to surf through every directory on your server (which may
# includes rather private places such as the CMS's directories).
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
<IfModule mod_headers.c>
# no-referrer-when-downgrade (default)
# This should be the user agent's default behavior if no policy is
# specified.The origin is sent as referrer to a-priori as-much-secure
# destination (HTTPS->HTTPS), but isn't sent to a less secure destination
# (HTTPS->HTTP).
Header set Referrer-Policy "no-referrer-when-downgrade"
"expr=%{CONTENT_TYPE} =~ m#text/html#i"
</IfModule>
# Compress all output labeled with one of the following media types.
#
#
https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
# Map the following filename extensions to the specified
# encoding type in order to make Apache serve the file types
# with the appropriate `Content-Encoding` response header
# (do note that this will NOT make Apache compress them!).
#
# If these files types would be served without an appropriate
# `Content-Enable` response header, client applications (e.g.:
# browsers) wouldn't know that they first need to uncompress
# the response, and thus, wouldn't be able to understand the
# content.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
<IfModule mod_mime.c>
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
