summaryrefslogtreecommitdiff
path: root/docs/configdiff/bugs/apache/bugs-apache-config.diff
blob: 355b7964c9d043e5d73c9eedee8111dbc0b43e9c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf	2015-11-28 13:59:22.000000000 +0100
+++ bugs/etc/apache2/conf-available/security.conf	2016-05-08 14:04:46.335145675 +0200
@@ -5,11 +5,11 @@
 # This currently breaks the configurations that come with some web application
 # Debian packages.
 #
-#<Directory />
-#   AllowOverride None
-#   Order Deny,Allow
-#   Deny from all
-#</Directory>
+<Directory />
+	AllowOverride None
+	Order Deny,Allow
+	Deny from all
+</Directory>
 
 
 # Changing the following options will not really affect the security of the
@@ -61,14 +61,24 @@
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers modify the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+Header set X-XSS-Protection: "1; mode=block"
 
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Frame-Options: "sameorigin"
+Header set X-Frame-Options: "sameorigin"
 
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet