Content-Security-Policy set twice in ispconfig.vhost

Discussion in 'General' started by gOOvER, Jun 29, 2024.

  1. gOOvER

    gOOvER Member

    is there any reaoson, why Content-Security-Policy is set twice in ispconfig.vhost?


    Code:
    <IfModule mod_headers.c>
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    Header set X-Content-Type-Options: nosniff
    Header set X-Frame-Options: SAMEORIGIN
    Header set X-XSS-Protection: "1; mode=block"
    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
    Header always edit Set-Cookie (.*) "$1; Secure"
    <IfVersion >= 2.4.7>
        Header setifempty Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    <IfVersion < 2.4.7>
        Header set Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    RequestHeader unset Proxy early
  </IfModule>
     
    gOOvER, Jun 29, 2024
    #1
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think this is a mistake. We should change that.
     
    Th0m, Jul 2, 2024
    #2

Share This Page