@@ -12,6 +12,7 @@ Include conf.d/manageiq-redirects-ui
1212Include conf.d/manageiq-redirects-websocket
1313Include conf.d/manageiq-host-config
1414RequestHeader set X_FORWARDED_PROTO 'https'
15+ Header always set Strict-Transport-Security "max-age=631138519"
1516
1617ErrorLog /var/www/miq/vmdb/log/apache/ssl_error.log
1718TransferLog /var/www/miq/vmdb/log/apache/ssl_access.log
@@ -22,8 +23,10 @@ SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
2223SSLCertificateFile /var/www/miq/vmdb/certs/server.cer
2324SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key
2425
25- <Location / assets/ >
26+ <LocationMatch "^/( assets|packs)/" >
2627 Header unset ETag
28+ # Explicit HSTS needed: Location blocks using "Header set" don't inherit "Header always set" from VirtualHost
29+ Header always set Strict-Transport-Security "max-age=631138519"
2730 Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
2831 Header set X-Content-Type-Options "nosniff"
2932 Header set X-Frame-Options "SAMEORIGIN"
@@ -33,20 +36,7 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key
3336 Header merge Cache-Control public
3437 ExpiresActive On
3538 ExpiresDefault "access plus 1 year"
36- </Location>
37-
38- <Location /packs/>
39- Header unset ETag
40- Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
41- Header set X-Content-Type-Options "nosniff"
42- Header set X-Frame-Options "SAMEORIGIN"
43- Header set X-Permitted-Cross-Domain-Policies "none"
44- Header set X-XSS-Protection "1; mode=block"
45- FileETag None
46- Header merge Cache-Control public
47- ExpiresActive On
48- ExpiresDefault "access plus 1 year"
49- </Location>
39+ </LocationMatch>
5040
5141<Files ~ "\.(cgi|shtml|phtml|php3?)$">
5242 SSLOptions +StdEnvVars
0 commit comments