Bug#1006921: apache2: security.conf can be improved
Package: apache2
Version: 2.4.52
Severity: normal
Tags: patch
Debian Apache Maintainers,
The attached patch improves security.conf (last updated Jun 24, 2015)
in the following ways:
* Change Subversion example to git and improve it
* Change obsolete X-Frame-Options to Content-Security-Policy
* Add reference URLs to comments
* Change indentation from spaces to tabs
Thank you!
Daniel Lewart
Urbana, Illinois
diff -ru a/debian/config-dir/conf-available/security.conf b/debian/config-dir/conf-available/security.conf
--- a/debian/config-dir/conf-available/security.conf 2021-12-29 00:35:53.000000000 -0600
+++ b/debian/config-dir/conf-available/security.conf 2022-03-08 00:00:00.000000000 -0600
@@ -6,8 +6,8 @@
# Debian packages.
#
#<Directory />
-# AllowOverride None
-# Require all denied
+# AllowOverride None
+# Require all denied
#</Directory>
@@ -21,6 +21,7 @@
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
+# https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
#ServerTokens Minimal
ServerTokens OS
#ServerTokens Full
@@ -32,6 +33,7 @@
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
+# https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
#ServerSignature Off
ServerSignature On
@@ -42,6 +44,7 @@
# diagnostic purposes).
#
# Set to one of: On | Off | extended
+# https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
TraceEnable Off
#TraceEnable On
@@ -49,16 +52,15 @@
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
+# probably deny access to their directories. For example, for git:
#
-#<DirectoryMatch "/\.svn">
-# Require all denied
-#</DirectoryMatch>
+#RedirectMatch 404 /\.git
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
#
#Header set X-Content-Type-Options: "nosniff"
@@ -66,8 +68,9 @@
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
#
-#Header set X-Frame-Options: "sameorigin"
+#Header set Content-Security-Policy "frame-ancestors 'self';"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Reply to: