From 4db1e7c4454ea05c524be4cc385ede1bab2e1be4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Oct 2016 11:31:41 -0400 Subject: Set X-XSS-Protection HTTP response header to '1'. This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident. --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 5e27a9e4..e68b9ebe 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %> <% end -%> Header always unset X-Powered-By Header always unset X-Runtime + Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options: nosniff -- cgit v1.2.3