Date: Fri, 9 Oct 2020 21:00:14 +0000 (UTC) From: Dave Cottlehuber <dch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r551826 - in head/www: h2o-devel/files h2o/files Message-ID: <202010092100.099L0Epc056853@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dch Date: Fri Oct 9 21:00:14 2020 New Revision: 551826 URL: https://svnweb.freebsd.org/changeset/ports/551826 Log: www/h2o*: set default http headers in samples, not add This improves the default security posture of both h2o-flavoured ports. Submitted by: Uwe Trenkner <uwe@trenknerconsulting.com> Sponsored by: SkunkWerks, GmbH Modified: head/www/h2o-devel/files/h2o.conf.sample.in head/www/h2o/files/h2o.conf.sample.in Modified: head/www/h2o-devel/files/h2o.conf.sample.in ============================================================================== --- head/www/h2o-devel/files/h2o.conf.sample.in Fri Oct 9 20:51:29 2020 (r551825) +++ head/www/h2o-devel/files/h2o.conf.sample.in Fri Oct 9 21:00:14 2020 (r551826) @@ -29,15 +29,15 @@ listen: cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # A+ on https://securityheaders.io/ -header.add: "x-frame-options: deny" -header.add: "X-XSS-Protection: 1; mode=block" -header.add: "X-Content-Type-Options: nosniff" -header.add: "X-UA-Compatible: IE=Edge" -header.add: "Referrer-Policy: strict-origin" -header.add: "Cache-Control: no-transform" -header.add: "Content-Security-Policy: default-src https:" +header.set: "x-frame-options: deny" +header.set: "X-XSS-Protection: 1; mode=block" +header.set: "X-Content-Type-Options: nosniff" +header.set: "X-UA-Compatible: IE=Edge" +header.set: "Referrer-Policy: strict-origin" +header.set: "Cache-Control: no-transform" +header.set: "Content-Security-Policy: default-src https:" # 6 months HSTS pinning -header.add: "Strict-Transport-Security: max-age=16000000" +header.set: "Strict-Transport-Security: max-age=16000000" # limit POST bodies limit-request-body: 10485760 # 10MiB Modified: head/www/h2o/files/h2o.conf.sample.in ============================================================================== --- head/www/h2o/files/h2o.conf.sample.in Fri Oct 9 20:51:29 2020 (r551825) +++ head/www/h2o/files/h2o.conf.sample.in Fri Oct 9 21:00:14 2020 (r551826) @@ -29,15 +29,15 @@ listen: cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # A+ on https://securityheaders.io/ -header.add: "x-frame-options: deny" -header.add: "X-XSS-Protection: 1; mode=block" -header.add: "X-Content-Type-Options: nosniff" -header.add: "X-UA-Compatible: IE=Edge" -header.add: "Referrer-Policy: strict-origin" -header.add: "Cache-Control: no-transform" -header.add: "Content-Security-Policy: default-src https:" +header.set: "x-frame-options: deny" +header.set: "X-XSS-Protection: 1; mode=block" +header.set: "X-Content-Type-Options: nosniff" +header.set: "X-UA-Compatible: IE=Edge" +header.set: "Referrer-Policy: strict-origin" +header.set: "Cache-Control: no-transform" +header.set: "Content-Security-Policy: default-src https:" # 6 months HSTS pinning -header.add: "Strict-Transport-Security: max-age=16000000" +header.set: "Strict-Transport-Security: max-age=16000000" # limit POST bodies limit-request-body: 10485760 # 10MiB
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010092100.099L0Epc056853>