Bug#1006921: apache2: security.conf can be improved

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1006921: apache2: security.conf can be improved
From: Daniel Lewart <lewart3@gmail.com>
Date: Tue, 08 Mar 2022 03:10:00 -0600
Message-id: <[🔎] 164673060027.365384.8739240837324161437.reportbug@coffee.vetmed.illinois.edu>
Reply-to: Daniel Lewart <lewart3@gmail.com>, 1006921@bugs.debian.org

Package: apache2
Version: 2.4.52
Severity: normal
Tags: patch

Debian Apache Maintainers,

The attached patch improves security.conf (last updated Jun 24, 2015)
in the following ways:
  * Change Subversion example to git and improve it
  * Change obsolete X-Frame-Options to Content-Security-Policy
  * Add reference URLs to comments
  * Change indentation from spaces to tabs

Thank you!
Daniel Lewart
Urbana, Illinois

diff -ru a/debian/config-dir/conf-available/security.conf b/debian/config-dir/conf-available/security.conf
--- a/debian/config-dir/conf-available/security.conf	2021-12-29 00:35:53.000000000 -0600
+++ b/debian/config-dir/conf-available/security.conf	2022-03-08 00:00:00.000000000 -0600
@@ -6,8 +6,8 @@
 # Debian packages.
 #
 #<Directory />
-#   AllowOverride None
-#   Require all denied
+#	AllowOverride None
+#	Require all denied
 #</Directory>
 
 
@@ -21,6 +21,7 @@
 # and compiled in modules.
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
+# https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
 #ServerTokens Minimal
 ServerTokens OS
 #ServerTokens Full
@@ -32,6 +33,7 @@
 # documents or custom error documents).
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
+# https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
 #ServerSignature Off
 ServerSignature On
 
@@ -42,6 +44,7 @@
 # diagnostic purposes).
 #
 # Set to one of:  On | Off | extended
+# https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
 TraceEnable Off
 #TraceEnable On
 
@@ -49,16 +52,15 @@
 # Forbid access to version control directories
 #
 # If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
+# probably deny access to their directories. For example, for git:
 #
-#<DirectoryMatch "/\.svn">
-#   Require all denied
-#</DirectoryMatch>
+#RedirectMatch 404 /\.git
 
 #
 # Setting this header will prevent MSIE from interpreting files as something
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 #
 #Header set X-Content-Type-Options: "nosniff"
 
@@ -66,8 +68,9 @@
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
 #
-#Header set X-Frame-Options: "sameorigin"
+#Header set Content-Security-Policy "frame-ancestors 'self';"
 
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Reply to:

Prev by Date: Bug#1006865: apr-util: reproducible-builds: build path embedded in /usr/bin/apu-1-config
Next by Date: Koszty instalacji fotowoltaicznej
Previous by thread: Bug#1006865: apr-util: reproducible-builds: build path embedded in /usr/bin/apu-1-config
Next by thread: Koszty instalacji fotowoltaicznej
Index(es):
- Date
- Thread