Forum

Hi!

I think I've missed something, but I couldn't find out where

I try to pass some « security » related header the http response on my website. Here is the virtualhost configuration :

VirtualHost {
  Hostname = etienne.depar.is
  WebsiteRoot = /srv/http/letsencrypt
  ReverseProxy !^/.well-known http://192.168.12.2 15
  PreventXSS = yes
  PreventCSRF = block
  #AllowDotFiles = yes
  TLScertFile = /etc/letsencrypt/live/etienne.depar.is/hiawatha.pem
  RequireTLS = yes,15768000
  CustomHeader = Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
  CustomHeader = Content-Security-Policy: default-src https:
  CustomHeader = X-Content-Type-Options: nosniff
  CustomHeader = X-Frame-Options: DENY
  CustomHeader = X-XSS-Protection: 1; mode=block
}

When I try to access my website in http, I can see the custom headers in the first answer (the one with the 301, due to RequireTLS), but they never appear in the https answer : https://framabin.org/?b64e78c286ab1b2f#RQaartoVazWtSKfUSqsmbmZiPzKhidK5o3/i8gRH9PA=

Is it a attended behavior? If not have you any idea about my error?

Thank you very much,

Étienne

Could it be that the tool you used hides those headers? I tried telnet and openssl to connect to my webserver. The custom header I configured was present in every response.

Mmmh. I just try to wget or curl my home page. Nothing fancy. I'll try to investigate more if I found something. I use cloudflare too. Could it be them that remove these headers?

Try:

  CustomHeader = Strict-Transport-Security: max-age=15768000;includeSubDomains;preload
  CustomHeader = Content-Security-Policy:default-src 'https:'
  CustomHeader = X-Content-Type-Options:nosniff
  CustomHeader = X-Frame-Options:DENY
  CustomHeader = X-XSS-Protection:1;mode=block