mirror of
https://github.com/pi-hole/pi-hole
synced 2024-12-22 23:08:07 +00:00
Merge pull request #4862 from pi-hole/tweak/lighttpd_headers
Add security-related headers to Pi-hole web interface
This commit is contained in:
commit
4cf3280500
@ -78,10 +78,21 @@ include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsen
|
|||||||
|
|
||||||
# If the URL starts with /admin, it is the Web interface
|
# If the URL starts with /admin, it is the Web interface
|
||||||
$HTTP["url"] =~ "^/admin/" {
|
$HTTP["url"] =~ "^/admin/" {
|
||||||
# Create a response header for debugging using curl -I
|
# X-Pi-hole is a response header for debugging using curl -I
|
||||||
|
# X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
|
||||||
|
# X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.
|
||||||
|
# X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
|
||||||
|
# Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
|
||||||
|
# X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
|
||||||
|
# Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
|
||||||
setenv.add-response-header = (
|
setenv.add-response-header = (
|
||||||
"X-Pi-hole" => "The Pi-hole Web interface is working!",
|
"X-Pi-hole" => "The Pi-hole Web interface is working!",
|
||||||
"X-Frame-Options" => "DENY"
|
"X-Frame-Options" => "DENY",
|
||||||
|
"X-XSS-Protection" => "1; mode=block",
|
||||||
|
"X-Content-Type-Options" => "nosniff",
|
||||||
|
"Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
|
||||||
|
"X-Permitted-Cross-Domain-Policies" => "none",
|
||||||
|
"Referrer-Policy" => "same-origin"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -86,10 +86,21 @@ fastcgi.server = (
|
|||||||
|
|
||||||
# If the URL starts with /admin, it is the Web interface
|
# If the URL starts with /admin, it is the Web interface
|
||||||
$HTTP["url"] =~ "^/admin/" {
|
$HTTP["url"] =~ "^/admin/" {
|
||||||
# Create a response header for debugging using curl -I
|
# X-Pi-hole is a response header for debugging using curl -I
|
||||||
|
# X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
|
||||||
|
# X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.
|
||||||
|
# X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
|
||||||
|
# Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
|
||||||
|
# X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
|
||||||
|
# Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
|
||||||
setenv.add-response-header = (
|
setenv.add-response-header = (
|
||||||
"X-Pi-hole" => "The Pi-hole Web interface is working!",
|
"X-Pi-hole" => "The Pi-hole Web interface is working!",
|
||||||
"X-Frame-Options" => "DENY"
|
"X-Frame-Options" => "DENY",
|
||||||
|
"X-XSS-Protection" => "1; mode=block",
|
||||||
|
"X-Content-Type-Options" => "nosniff",
|
||||||
|
"Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
|
||||||
|
"X-Permitted-Cross-Domain-Policies" => "none",
|
||||||
|
"Referrer-Policy" => "same-origin"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user