-
-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl.conf missing trailing always #391
ssl.conf missing trailing always #391
Comments
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid. |
I'll look more into these headers again, but when they were introduced they were explicitly made the bare minimum to pass most security scanners, because most other settings would be more restrictive and less universal. If there's any updated settings we could ship that are still fairly universal I'll definitely consider it. P.s. I tend to use the recommendations from observatory.mozilla.com as a reference for how to set these out of the box, but I'm open to reading other sources. |
No issues. I had no idea what i was doing. I just used one of those security checking sites that pointed out some of the headers were not being applied. I did not change any of the settings nor do I understand what they do. I just noticed all the other lines included always at the end and tried adding it to the 2 missing lines. Headers were then reporting as working after re scanning. |
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
I need to look at this. Sorry I've been busy. |
Applying this finally allowed firefox to load my subdomains inside frames. |
Is there an existing issue for this?
Current Behavior
Optional additional ssl headers missing the always tag on a couple of the lines causing the headers to not be applied.
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header Permissions-Policy "interest-cohort=()";
Expected Behavior
After adding "always" before ";", the headers are applied.
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
#add_header Permissions-Policy "interest-cohort=()" always;
Steps To Reproduce
/swag/nginx/ssl.conf
lines 33, 34
Environment
CPU architecture
x86-64
Docker creation
Container logs
The text was updated successfully, but these errors were encountered: