Univention Bugzilla – Bug 51296
Add more HTTP security headers for UMC
Last modified: 2023-06-19 15:34:58 CEST
There are some "relatively" new HTTP security features which could be integrated into UMC / Apache2 / etc: "Feature-Policy" can be set to disable certain features browsers can ask for, like geolocation, speakers, microhpone, push, etc. It's similar to Content-Security-Policy. https://scotthelme.co.uk/a-new-security-header-feature-policy/ "Referrer-Policy" can be used to set when a HTTP "Referer" header should be set. https://scotthelme.co.uk/a-new-security-header-referrer-policy/ We should probably set this to "same-origin" as UMC checks for some CSRF-reasons the Referrer sometimes. And "X-Content-Type-Options" stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options Header always setifempty "X-Content-Type-Options" "nosniff" Header always setifempty "Referrer-Policy" "same-origin" Header always setifempty "Feature-Policy" "…"
We should also add "Permissions-Policy": > The permissions policy serves to increase the security as well as the > usability of your website. The following examples > can be implemented with the Permissions Policy: > Access to sensitive data is prevented by preventing access to the microphone, camera, location, etc. of the user or his end device, > camera, location, etc. of the user or their end device. The > automatic playback of videos that are integrated by 3rd party resources. > resources. Disable the use of outdated as well as > Prevent user-unfriendly APIs, such as synchronous XHR requests. > A permissions policy is composed of one or more policy directives > policy directives. Such a directive in turn consists of a feature name > and a so-called "AllowList". To tell the web browser which > policy to be used, there are two ways: > - via HTTP header > - via allow attribute for iframe elements