You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Mehler <da...@gmail.com> on 2019/08/06 19:59:09 UTC
[users@httpd] Question on headers, global or individual virtual host, apache 2.4?
Hello,
I'm running apache 2.4. I've got a question on headers, should the
below be set in a global context in a configuration file? Or should
they be in set in each virtual host context and wrapped in IfModule
statements?
Also, are these headers correct?
<IfModule mod_headers.c>
Header unset ETag
FileETag None
Header unset Server
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-Content-Security-Policy "allow 'self';"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Feature-Policy "accelerometer 'none';
camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer
'none'; microphone 'none'; payment 'none'; usb 'none' "
Header set X-Frame-Options DENY
Header set Cache-Control:public, max-age=31536000
Header set MyHeader "Feel safe zombiesecured headers in
use!!! It took %D microseconds for Zombiesecured to serve this request
on %t"
Header always set Strict-Transport-Security:
"max-age=31536000; includeSubDomains; preload"
Header set Expect-CT enforce,max-age=30, report-uri="url" <---
You can gradually increase the max-age once you are confident that it
has been set up properly
</IfModule>
Thanks.
Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org