Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Strict-Transport-Security header value and documentation

Browse source
This commit is contained in:
Théophile Diot 2025-01-14 15:44:56 +01:00
parent 69fe0f9e8a
commit d5187ddab6
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
3 changed files with 20 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/advanced.md
View file

@ -1584,7 +1584,7 @@ Headers play a crucial role in HTTP security. While some headers may be overly v
STREAM support :x:
You can use the `REMOVE_HEADERS` setting to automatically remove specific verbose headers from HTTP responses. By default, it removes the following headers: `Server`, `X-Powered-By`, `X-AspNet-Version`, and `X-AspNetMvc-Version`.
You can use the `REMOVE_HEADERS` setting to automatically remove specific verbose headers from HTTP responses. By default, it removes the following headers: `Server`, `Expect-CT`, `X-Powered-By`, `X-AspNet-Version`, `X-AspNetMvc-Version` and `Public-Key-Pins`.
Headers to be removed should be listed and separated by spaces.
@ -1627,7 +1627,7 @@ STREAM support :x:
| Header | Setting | Default |
| :-------------------------: | :-------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
| `Content-Security-Policy` | `CONTENT_SECURITY_POLICY` | `object-src 'none'; form-action 'self'; frame-ancestors 'self';` |
| `Strict-Transport-Security` | `STRICT_TRANSPORT_SECURITY` | `max-age=31536000; includeSubDomains; preload` |
| `Strict-Transport-Security` | `STRICT_TRANSPORT_SECURITY` | `mmax-age=63072000; includeSubDomains; preload` |
| `Referrer-Policy` | `REFERRER_POLICY` | `strict-origin-when-cross-origin` |
| `Permissions-Policy` | `PERMISSIONS_POLICY` | `accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=(), interest-cohort=()` |
| `X-Frame-Options` | `X_FRAME_OPTIONS` | `SAMEORIGIN` |

30
docs/settings.md
View file

@ -175,12 +175,12 @@ STREAM support :x:
Compress HTTP requests with the brotli algorithm.
| Setting | Default | Context | Multiple | Description |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ------------------------------------------------------- |
| `USE_BROTLI` | `no` | multisite | no | Use brotli |
| `BROTLI_TYPES` | `application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml` | multisite | no | List of MIME types that will be compressed with brotli. |
| `BROTLI_MIN_LENGTH` | `1000` | multisite | no | Minimum length for brotli compression. |
| `BROTLI_COMP_LEVEL` | `6` | multisite | no | The compression level of the brotli algorithm. |
| Setting | Default | Context | Multiple | Description |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------- |
| `USE_BROTLI` | `no` | multisite | no | Enable or disable Brotli compression. |
| `BROTLI_TYPES` | `application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml` | multisite | no | List of MIME types that will be compressed with brotli. |
| `BROTLI_MIN_LENGTH` | `1000` | multisite | no | Minimum response size (in bytes) for Brotli compression to apply. |
| `BROTLI_COMP_LEVEL` | `6` | multisite | no | Compression level for Brotli (0 = no compression, 11 = maximum compression). |
## BunkerNet
@ -314,13 +314,13 @@ STREAM support :x:
Compress HTTP requests with the gzip algorithm.
| Setting | Default | Context | Multiple | Description |
| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ----------------------------------------------------- |
| `USE_GZIP` | `no` | multisite | no | Use gzip |
| `GZIP_TYPES` | `application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml` | multisite | no | List of MIME types that will be compressed with gzip. |
| `GZIP_MIN_LENGTH` | `1000` | multisite | no | Minimum length for gzip compression. |
| `GZIP_COMP_LEVEL` | `5` | multisite | no | The compression level of the gzip algorithm. |
| `GZIP_PROXIED` | `no-cache no-store private expired auth` | multisite | no | Which kind of proxied requests we should compress. |
| Setting | Default | Context | Multiple | Description |
| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------- |
| `USE_GZIP` | `no` | multisite | no | Enable or disable Gzip compression. |
| `GZIP_TYPES` | `application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml` | multisite | no | List of MIME types that will be compressed with gzip. |
| `GZIP_MIN_LENGTH` | `1000` | multisite | no | Minimum response size (in bytes) for Gzip compression to apply. |
| `GZIP_COMP_LEVEL` | `5` | multisite | no | Compression level for Gzip (1 = least compression, 9 = maximum compression). |
| `GZIP_PROXIED` | `no-cache no-store private expired auth` | multisite | no | Specifies which proxied requests should be compressed. |
## HTML injection
@ -344,7 +344,7 @@ Manage HTTP headers sent to clients.
| `CUSTOM_HEADER` | | multisite | yes | Custom header to add (HeaderName: HeaderValue). |
| `REMOVE_HEADERS` | `Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version Public-Key-Pins` | multisite | no | Headers to remove (Header1 Header2 Header3 ...) |
| `KEEP_UPSTREAM_HEADERS` | `Content-Security-Policy Permissions-Policy X-Frame-Options` | multisite | no | Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). |
| `STRICT_TRANSPORT_SECURITY` | `max-age=31536000; includeSubDomains; preload` | multisite | no | Value for the Strict-Transport-Security header. |
| `STRICT_TRANSPORT_SECURITY` | `max-age=63072000; includeSubDomains; preload` | multisite | no | Value for the Strict-Transport-Security (HSTS) header. |
| `COOKIE_FLAGS` | `* HttpOnly SameSite=Lax` | multisite | yes | Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module). |
| `COOKIE_AUTO_SECURE_FLAG` | `yes` | multisite | no | Automatically add the Secure flag to all cookies. |
| `CONTENT_SECURITY_POLICY` | `object-src 'none'; form-action 'self'; frame-ancestors 'self';` | multisite | no | Value for the Content-Security-Policy header. |
@ -711,7 +711,7 @@ Allow access based on internal and external IP/network/rDNS/ASN whitelists.
| Setting | Default | Context | Multiple | Description |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_WHITELIST` | `yes` | multisite | no | Activate whitelist feature. |
| `WHITELIST_IP` | `` | multisite | no | List of IP/network, separated with spaces, to put into the whitelist. |
| `WHITELIST_IP` | | multisite | no | List of IP/network, separated with spaces, to put into the whitelist. |
| `WHITELIST_RDNS` | `.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` | multisite | no | List of reverse DNS suffixes, separated with spaces, to whitelist. |
| `WHITELIST_RDNS_GLOBAL` | `yes` | multisite | no | Only perform RDNS whitelist checks on global IP addresses. |
| `WHITELIST_ASN` | `32934` | multisite | no | List of ASN numbers, separated with spaces, to whitelist. |

6
src/common/core/headers/plugin.json
View file

@ -35,10 +35,10 @@
},
"STRICT_TRANSPORT_SECURITY": {
"context": "multisite",
"default": "max-age=31536000; includeSubDomains; preload",
"help": "Value for the Strict-Transport-Security header.",
"default": "max-age=63072000; includeSubDomains; preload",
"help": "Value for the Strict-Transport-Security (HSTS) header.",
"id": "strict-transport-security",
"label": "Strict-Transport-Security",
"label": "Strict-Transport-Security (HSTS)",
"regex": "^(max-age=\\d+(; includeSubDomains(; preload)?)?)?$",
"type": "text"
},