89 lines
2.5 KiB
Django/Jinja
89 lines
2.5 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
#
|
|
# Disable access to the entire file system except for the directories that
|
|
# are explicitly allowed later.
|
|
#
|
|
# This currently breaks the configurations that come with some web application
|
|
# Debian packages.
|
|
#
|
|
<Directory />
|
|
AllowOverride None
|
|
Require all denied
|
|
</Directory>
|
|
|
|
|
|
# Changing the following options will not really affect the security of the
|
|
# server, but might make attacks slightly more difficult in some cases.
|
|
|
|
#
|
|
# ServerTokens
|
|
# This directive configures what you return as the Server HTTP response
|
|
# Header. The default is 'Full' which sends information about the OS-Type
|
|
# and compiled in modules.
|
|
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
|
|
# where Full conveys the most information, and Prod the least.
|
|
ServerTokens Prod
|
|
#ServerTokens OS
|
|
#ServerTokens Full
|
|
|
|
#
|
|
# Optionally add a line containing the server version and virtual host
|
|
# name to server-generated pages (internal error documents, FTP directory
|
|
# listings, mod_status and mod_info output etc., but not CGI generated
|
|
# documents or custom error documents).
|
|
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
|
|
# Set to one of: On | Off | EMail
|
|
ServerSignature Off
|
|
#ServerSignature On
|
|
|
|
#
|
|
# Allow TRACE method
|
|
#
|
|
# Set to "extended" to also reflect the request body (only for testing and
|
|
# diagnostic purposes).
|
|
#
|
|
# Set to one of: On | Off | extended
|
|
TraceEnable Off
|
|
#TraceEnable On
|
|
|
|
#
|
|
# Forbid access to version control directories
|
|
#
|
|
# If you use version control systems in your document root, you should
|
|
# probably deny access to their directories. For example, for subversion:
|
|
#
|
|
<DirectoryMatch "/\.(git|svn|subversion)">
|
|
Require all denied
|
|
</DirectoryMatch>
|
|
|
|
#
|
|
# Setting this header will prevent MSIE from interpreting files as something
|
|
# else than declared by the content type in the HTTP headers.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Content-Type-Options: "nosniff"
|
|
|
|
#
|
|
# Setting this header will prevent other sites from embedding pages from this
|
|
# site as frames. This defends against clickjacking attacks.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Frame-Options: "sameorigin"
|
|
|
|
{% if apache_security_headers %}
|
|
#
|
|
# Security headers for PCI-DSS.
|
|
#
|
|
Header always set X-Content-Type-Options: "nosniff"
|
|
Header always set X-Frame-Options: "sameorigin"
|
|
Header always set X-XSS-Protection "1; mode=block"
|
|
{% endif %}
|
|
|
|
#
|
|
# Accept host names with _underscores_
|
|
#
|
|
HTTPProtocolOptions unsafe
|
|
|
|
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|