2022-10-19 15:37:13 +00:00
|
|
|
{
|
|
|
|
|
"id": "headers",
|
|
|
|
|
"name": "Headers",
|
|
|
|
|
"description": "Manage HTTP headers sent to clients.",
|
2023-04-28 08:25:47 +00:00
|
|
|
"version": "1.0",
|
2023-04-27 18:27:07 +00:00
|
|
|
"stream": "no",
|
2022-10-19 15:37:13 +00:00
|
|
|
"settings": {
|
|
|
|
|
"CUSTOM_HEADER": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "",
|
|
|
|
|
"help": "Custom header to add (HeaderName: HeaderValue).",
|
|
|
|
|
"id": "custom-header",
|
|
|
|
|
"label": "Custom header (HeaderName: HeaderValue)",
|
2024-01-26 11:09:11 +00:00
|
|
|
"regex": "^([\\w\\-]+: .+)?$",
|
2022-10-19 15:37:13 +00:00
|
|
|
"type": "text",
|
|
|
|
|
"multiple": "custom-headers"
|
|
|
|
|
},
|
|
|
|
|
"REMOVE_HEADERS": {
|
|
|
|
|
"context": "multisite",
|
2024-06-19 12:34:11 +00:00
|
|
|
"default": "Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version Public-Key-Pins",
|
2022-10-19 15:37:13 +00:00
|
|
|
"help": "Headers to remove (Header1 Header2 Header3 ...)",
|
|
|
|
|
"id": "remove-headers",
|
|
|
|
|
"label": "Remove headers",
|
2023-09-05 09:50:05 +00:00
|
|
|
"regex": "^(?! )( ?[\\w\\-]+)*$",
|
2022-10-19 15:37:13 +00:00
|
|
|
"type": "text"
|
2023-06-05 18:04:44 +00:00
|
|
|
},
|
|
|
|
|
"KEEP_UPSTREAM_HEADERS": {
|
|
|
|
|
"context": "multisite",
|
2023-06-06 14:11:43 +00:00
|
|
|
"default": "Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options",
|
2023-06-05 18:04:44 +00:00
|
|
|
"help": "Headers to keep from upstream (Header1 Header2 Header3 ... or * for all).",
|
|
|
|
|
"id": "keep-upstream-headers",
|
|
|
|
|
"label": "Keep upstream headers",
|
2023-09-05 09:50:05 +00:00
|
|
|
"regex": "^((?! )( ?[\\w\\-]+)+|\\*)?$",
|
2023-06-05 18:04:44 +00:00
|
|
|
"type": "text"
|
2022-10-19 15:37:13 +00:00
|
|
|
},
|
|
|
|
|
"STRICT_TRANSPORT_SECURITY": {
|
|
|
|
|
"context": "multisite",
|
2024-06-19 12:34:11 +00:00
|
|
|
"default": "max-age=31536000; includeSubDomains; preload",
|
2022-10-19 15:37:13 +00:00
|
|
|
"help": "Value for the Strict-Transport-Security header.",
|
|
|
|
|
"id": "strict-transport-security",
|
|
|
|
|
"label": "Strict-Transport-Security",
|
2022-12-14 09:56:52 +00:00
|
|
|
"regex": "^max-age=\\d+(; includeSubDomains(; preload)?)?$",
|
2022-10-19 15:37:13 +00:00
|
|
|
"type": "text"
|
|
|
|
|
},
|
|
|
|
|
"COOKIE_FLAGS": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "* HttpOnly SameSite=Lax",
|
|
|
|
|
"help": "Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).",
|
|
|
|
|
"id": "cookie-flags",
|
|
|
|
|
"label": "Cookie flags",
|
2023-05-19 20:08:39 +00:00
|
|
|
"regex": "^(\\*|[^;]+)( (HttpOnly|(SameSite)(?!.*\\4)(=(Lax|Strict))?)(?!.*\\3))*$",
|
2022-12-14 09:56:52 +00:00
|
|
|
"type": "text",
|
|
|
|
|
"multiple": "cookie-flags"
|
2022-10-19 15:37:13 +00:00
|
|
|
},
|
|
|
|
|
"COOKIE_AUTO_SECURE_FLAG": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "yes",
|
|
|
|
|
"help": "Automatically add the Secure flag to all cookies.",
|
|
|
|
|
"id": "cookie-auto-secure-flag",
|
|
|
|
|
"label": "Cookie auto Secure flag",
|
|
|
|
|
"regex": "^(yes|no)$",
|
|
|
|
|
"type": "check"
|
|
|
|
|
},
|
|
|
|
|
"CONTENT_SECURITY_POLICY": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "object-src 'none'; form-action 'self'; frame-ancestors 'self';",
|
|
|
|
|
"help": "Value for the Content-Security-Policy header.",
|
|
|
|
|
"id": "content-security-policy",
|
|
|
|
|
"label": "Content-Security-Policy",
|
|
|
|
|
"regex": "^.*$",
|
|
|
|
|
"type": "text"
|
|
|
|
|
},
|
2023-06-12 20:36:04 +00:00
|
|
|
"CONTENT_SECURITY_POLICY_REPORT_ONLY": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "no",
|
|
|
|
|
"help": "Send reports for violations of the Content-Security-Policy header instead of blocking them.",
|
|
|
|
|
"id": "content-security-policy-report-only",
|
|
|
|
|
"label": "Content-Security-Policy-Report-Only",
|
|
|
|
|
"regex": "^(yes|no)$",
|
|
|
|
|
"type": "check"
|
|
|
|
|
},
|
2022-10-19 15:37:13 +00:00
|
|
|
"REFERRER_POLICY": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "strict-origin-when-cross-origin",
|
|
|
|
|
"help": "Value for the Referrer-Policy header.",
|
|
|
|
|
"id": "referrer-policy",
|
|
|
|
|
"label": "Referrer-Policy",
|
2023-12-13 10:57:31 +00:00
|
|
|
"regex": "^(?!^(,| ))((, )?(no-referrer-when-downgrade|no-referrer|origin-when-cross-origin|same-origin|strict-origin-when-cross-origin|strict-origin|origin|unsafe-url)(?!\\b.*, \\4\\b))*$",
|
|
|
|
|
"type": "text"
|
2022-10-19 15:37:13 +00:00
|
|
|
},
|
|
|
|
|
"PERMISSIONS_POLICY": {
|
|
|
|
|
"context": "multisite",
|
2024-06-19 12:34:11 +00:00
|
|
|
"default": "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()",
|
2022-10-19 15:37:13 +00:00
|
|
|
"help": "Value for the Permissions-Policy header.",
|
|
|
|
|
"id": "permissions-policy",
|
|
|
|
|
"label": "Permissions-Policy",
|
2023-09-05 09:50:05 +00:00
|
|
|
"regex": "^(?![, ])(,? ?([a-z\\-]+)(?!.*[^\\-]\\2=)=(\\*|\\(( ?(self|\\u0022https?:\\/\\/[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*\\u0022)(?=[ \\)]))*\\)))*$",
|
2022-10-19 15:37:13 +00:00
|
|
|
"type": "text"
|
|
|
|
|
},
|
2024-06-19 12:34:11 +00:00
|
|
|
"DISABLE_FLOC": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "yes",
|
|
|
|
|
"help": "Disable FLoC (Federated Learning of Cohorts) by adding the interest-cohort=() directive to the Permissions-Policy header.",
|
|
|
|
|
"id": "disable-floc",
|
|
|
|
|
"label": "Disable FLoC (Federated Learning of Cohorts)",
|
|
|
|
|
"regex": "^(yes|no)$",
|
|
|
|
|
"type": "check"
|
|
|
|
|
},
|
2022-10-19 15:37:13 +00:00
|
|
|
"X_FRAME_OPTIONS": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "SAMEORIGIN",
|
|
|
|
|
"help": "Value for the X-Frame-Options header.",
|
|
|
|
|
"id": "x-frame-options",
|
|
|
|
|
"label": "X-Frame-Options",
|
2022-12-14 09:56:52 +00:00
|
|
|
"regex": "^(DENY|SAMEORIGIN)?$",
|
|
|
|
|
"type": "select",
|
|
|
|
|
"select": ["", "DENY", "SAMEORIGIN"]
|
2022-10-19 15:37:13 +00:00
|
|
|
},
|
|
|
|
|
"X_CONTENT_TYPE_OPTIONS": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "nosniff",
|
|
|
|
|
"help": "Value for the X-Content-Type-Options header.",
|
|
|
|
|
"id": "x-content-type-options",
|
|
|
|
|
"label": "X-Content-Type-Options",
|
2022-12-14 09:56:52 +00:00
|
|
|
"regex": "^(nosniff)?$",
|
|
|
|
|
"type": "select",
|
|
|
|
|
"select": ["", "nosniff"]
|
2022-10-19 15:37:13 +00:00
|
|
|
},
|
|
|
|
|
"X_XSS_PROTECTION": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "1; mode=block",
|
|
|
|
|
"help": "Value for the X-XSS-Protection header.",
|
|
|
|
|
"id": "x-xss-protection",
|
|
|
|
|
"label": "X-XSS-Protection",
|
2023-09-05 09:50:05 +00:00
|
|
|
"regex": "^0|1(; (mode=block|report=https?:\\/\\/[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*))?$",
|
2022-10-19 15:37:13 +00:00
|
|
|
"type": "text"
|
2024-06-19 12:34:11 +00:00
|
|
|
},
|
|
|
|
|
"X_DNS_PREFETCH_CONTROL": {
|
|
|
|
|
"context": "multisite",
|
|
|
|
|
"default": "off",
|
|
|
|
|
"help": "Value for the X-DNS-Prefetch-Control header.",
|
|
|
|
|
"id": "x-dns-prefetch-control",
|
|
|
|
|
"label": "X-DNS-Prefetch-Control",
|
|
|
|
|
"regex": "^(on|off)$",
|
|
|
|
|
"type": "select",
|
|
|
|
|
"select": ["on", "off"]
|
2022-10-19 15:37:13 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
