The Captive Portal should not be framed or leak sensitive detail via Referrers either.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/httpd/vhosts.d/captive.conf | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf index 629fa8180..51af6eac4 100644 --- a/config/httpd/vhosts.d/captive.conf +++ b/config/httpd/vhosts.d/captive.conf @@ -11,6 +11,8 @@ Listen 1013
Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + Header always set Referrer-Policy strict-origin + Header always set X-Frame-Options sameorigin
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/ Alias /assets/ /srv/web/ipfire/html/captive/assets/