I spent some time to playing with my web server (Lighttpd) trying to set up more secure configuration and now my site have "A" score so I can to share with you how to reach this result.
On Lighttpd (don't forget to switch on mod_setenv):
Code: Select all
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=15768000",
"Content-Security-Policy" => "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'",
"X-Content-Type-Options" => "nosniff",
"X-Frame-Options" => "DENY",
"X-XSS-Protection" => "1; mode=block"
)
Code: Select all
add_header Strict-Transport-Security "max-age=15768000" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
Code: Select all
Header always set Strict-Transport-Security "max-age=15768000";
Header always set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'";
Header always set X-Content-Type-Options "nosniff";
Header always set X-Frame-Options "DENY";
Header always set X-XSS-Protection "1; mode=block";
Additional details can be found at Schott Helme blog.