diff --git a/.htaccess b/.htaccess index 0d73822..25ddcbc 100644 --- a/.htaccess +++ b/.htaccess @@ -94,11 +94,14 @@ DirectoryIndex index.php index.html index.htm #add CSP (report only) #Header set Content-Security-Policy-Report-Only "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://csrichter.report-uri.com/r/d/csp/wizard" -Header set Content-Security-Policy "form-action 'self'; img-src 'self' data: www.gravatar.com https://baptisten-hohenacker.de/piwikCR/piwik.php; frame-src 'self' www.openstreetmap.org; style-src 'self' 'unsafe-inline'; connect-src 'self' getgrav.org; media-src 'self'; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://baptisten-hohenacker.de 'report-sample';upgrade-insecure-requests; report-uri https://csrichter.report-uri.com/r/d/csp/enforce" +Header set Content-Security-Policy "form-action 'self'; img-src 'self' data: www.gravatar.com https://baptisten-hohenacker.de/piwikCR/piwik.php; frame-src 'self' www.openstreetmap.org; style-src 'self' 'unsafe-inline'; connect-src 'self' getgrav.org; media-src 'self'; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://baptisten-hohenacker.de 'report-sample';upgrade-insecure-requests; report-uri https://csrichter.report-uri.com/r/d/csp/enforce" env=HTTPS #TODO: move img-src data: and unsave-eval to separate file in /piwikCR + +#set HSTS, but only for TLS connections +Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;preload" env=HTTPS + Header set X-XSS-Protection "1; report=https://csrichter.report-uri.com/r/d/xss/enforce" Header set Referrer-Policy "strict-origin-when-cross-origin" -Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;preload" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff"