Security Headers
Metanet
Strict-Transport-Security braucht es nicht bei Metanet mit HSTS
Apache
<ifModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options sameorigin
Header set Referrer-Policy: no-referrer-when-downgrade
Header always set Permissions-Policy "geolocation=(self 'https://gwdev.ch/'), camera=(), fullscreen=*"
Header Set Content-Security-Policy: "frame-ancestors 'self'"
</ifModule>Achtung, die Einträge müssen pro Server & Website immer individuelll geprüft werden. Je nach Setup und verwendeten Schnittstellen muss zumindest die Content-Security-Policy angepasst werden.
Nicht Metanet
Apache
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
Header always set Permissions-Policy "geolocation=(self 'https://domain.ch'), camera=(), fullscreen=*"
</ifModule>XML-RPC
Apache
# Block access to xmlrpc.php
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>PHP
add_filter('xmlrpc_enabled', '__return_false');