securityonion-web-page: additional protections in securityonion.conf #976
Description
From Wes Lambert:
First, we need to enable the headers module:
sudo a2enmod headers
Anti-clickjacking - The anti-clcikjacking X-Frames-Options header is not defined.
https://www.owasp.org/index.php/Clickjacking
add to /etc/apache2/sites-available/securityonion.conf:
Header always append X-Frame-Options SAMEORIGIN
XSS - The X-XSS-Protection-header is not defined.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection
add to /etc/apache2/sites-available/securityonion.conf:
Header set X-XSS-Protection: "1; mode=block"
X-Content-Type - X-Content-Type-Options header is not set.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options
add to /etc/apache2/sites-available/securityonion.conf:
Header set X-Content-Type-Options nosniff
HSTS - Strict-Transport-Security header is not defined.
( I know HTTP is not currently used, but I still figured it may be a good idea to set)
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
add to /etc/apache2/sites-available/securityonion.conf:
Header always set Strict-Transport-Security "max-age=31536000; include Subdomains;"
Content-Encoding - header is set to "deflate" -- may mean that the server is vulnerable to the BREACH attack.
http://breachattack.com/
add to /etc/apache2/sites-available/securityonion.conf:
SetEnv no-gzip dont-vary
httpoxy
https://httpoxy.org/#fix-now
https://www.apache.org/security/asf-httpoxy-response.txt
add to /etc/apache2/sites-available/securityonion.conf:
RequestHeader unset Proxy early