[eostre.git] / drupal-configs / apache2 / conf-enabled / security.conf

#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
#   AllowOverride None
#   Require all denied
#</Directory>


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens OS
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
ServerSignature On

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
#   Require all denied
#</DirectoryMatch>

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Commit	Line	Data
436d9fbf	1	#
	2	# Disable access to the entire file system except for the directories that
	3	# are explicitly allowed later.
	4	#
	5	# This currently breaks the configurations that come with some web application
	6	# Debian packages.
	7	#
	8	#<Directory />
	9	# AllowOverride None
09c20003	10	# Require all denied
436d9fbf	11	#</Directory>
	12
	13
	14	# Changing the following options will not really affect the security of the
	15	# server, but might make attacks slightly more difficult in some cases.
	16
	17	#
	18	# ServerTokens
	19	# This directive configures what you return as the Server HTTP response
	20	# Header. The default is 'Full' which sends information about the OS-Type
	21	# and compiled in modules.
	22	# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod
	23	# where Full conveys the most information, and Prod the least.
	24	#ServerTokens Minimal
	25	ServerTokens OS
	26	#ServerTokens Full
	27
	28	#
	29	# Optionally add a line containing the server version and virtual host
	30	# name to server-generated pages (internal error documents, FTP directory
	31	# listings, mod_status and mod_info output etc., but not CGI generated
	32	# documents or custom error documents).
	33	# Set to "EMail" to also include a mailto: link to the ServerAdmin.
	34	# Set to one of: On \| Off \| EMail
	35	#ServerSignature Off
	36	ServerSignature On
	37
	38	#
	39	# Allow TRACE method
	40	#
	41	# Set to "extended" to also reflect the request body (only for testing and
	42	# diagnostic purposes).
	43	#
	44	# Set to one of: On \| Off \| extended
	45	TraceEnable Off
	46	#TraceEnable On
	47
	48	#
	49	# Forbid access to version control directories
	50	#
	51	# If you use version control systems in your document root, you should
	52	# probably deny access to their directories. For example, for subversion:
	53	#
	54	#<DirectoryMatch "/\.svn">
	55	# Require all denied
	56	#</DirectoryMatch>
	57
	58	#
	59	# Setting this header will prevent MSIE from interpreting files as something
	60	# else than declared by the content type in the HTTP headers.
	61	# Requires mod_headers to be enabled.
	62	#
	63	#Header set X-Content-Type-Options: "nosniff"
	64
	65	#
	66	# Setting this header will prevent other sites from embedding pages from this
	67	# site as frames. This defends against clickjacking attacks.
	68	# Requires mod_headers to be enabled.
	69	#
	70	#Header set X-Frame-Options: "sameorigin"
	71
	72
	73	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet