Bug#776385: apache2: Wheezy default security options dont work, please fix
Package: apache2.2-common
Version: 2.2.22-13+deb7u4
Severity: important
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***
* What led up to the situation? while checking my apache headers through : http://cyh.herokuapp.com/cyh
I noticed none are working.. sinds debian stands for security and stability, im wondering why this is not working.
* What exactly did you do (or not do) that was effective (or
ineffective)? i did create a new security file in /etc/apache2/conf.d/security-custom
added the following content as recommended by above website mentioned. :
Header set X-Frame-Options: "sameorigin"
Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains"
Header set X-Content-Type-Options: "nosniff"
Header set Content-Type "text/html;charset=utf-8"
Header set X-XSS-Protection: "1; mode=block"
Header set Cache-Control: "no-cache, no-store, must-revalidate"
Header set Pragma: "no-cache
Header set Expires: "-1"
Header set X-Permitted-Cross-Domain-Policies "master-only"
Header set Content-Security-Policy "Content-Security-Policy-Report-Only"
* What was the outcome of this action? None of these worked
* What outcome did you expect instead? that at least the lines worked as stated in /etc/apache2/conf.d/security
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set X-XSS-Protection: "1; mode=block"
Please fix this for debian wheezy, so we can set a more secure apache.
thanks.
*** End of the template - remove these lines ***
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env expires headers
mime negotiation php5 proxy_http proxy reqtimeout rewrite security2
setenvif ssl status unique_id
List of enabled php5 extensions:
imap mapi pdo
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.22-13+deb7u4
ii apache2.2-common 2.2.22-13+deb7u4
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.22-13+deb7u4
ii apache2.2-bin 2.2.22-13+deb7u4
ii lsb-base 4.1+Debian8+deb7u1
ii mime-support 3.52-1+deb7u1
ii perl 5.14.2-21+deb7u2
ii procps 1:3.3.3-3
Versions of packages apache2.2-common recommends:
ii ssl-cert 1.0.32
Versions of packages apache2.2-common suggests:
pn apache2-doc <none>
pn apache2-suexec | apache2-suexec-custom <none>
ii w3m [www-browser] 0.5.3-8
-- no debconf information
Reply to: