Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CORS header

Browse Source 
* additional security directives
This commit is contained in:
VirtuBox
2019-09-25 00:27:31 +02:00
parent 6b5cfbacd6
commit be4b3cfad2
4 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.md
View File

@@ -11,10 +11,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
#### Added #### Added
- [SECURE] Allow new ssh port with UFW when running `wo secure --sshport` - [SECURE] Allow new ssh port with UFW when running `wo secure --sshport`
- [SECURITY] Additional Nginx directives to prevent access to log files or backup from web browser
- [CORE] apt-mirror-updater to select the fastest debian/ubuntu mirror with automatic switching between mirrors if the current mirror is being updated
#### Changed
- [SECURITY] Improved sshd_config template according to Mozilla Infosec guidelines
#### Fixed #### Fixed
- [STACK] UFW setup after removing all stacks with `wo stack purge --all` - [STACK] UFW setup after removing all stacks with `wo stack purge --all`
- [CONFIG] Invalid CORS header
### v3.9.9 - 2019-09-24 ### v3.9.9 - 2019-09-24

4
wo/cli/templates/locations.mustache
View File

@@ -12,7 +12,7 @@ location @empty_gif {
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest)$ {
more_set_headers 'Access-Control-Allow-Origin : "*"'; more_set_headers 'Access-Control-Allow-Origin : *';
more_set_headers "Cache-Control : public, no-transform"; more_set_headers "Cache-Control : public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;
@@ -20,7 +20,7 @@ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?
} }
# Cache css & js files # Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$ {
more_set_headers 'Access-Control-Allow-Origin : "*"'; more_set_headers 'Access-Control-Allow-Origin : *';
more_set_headers "Cache-Control : public, no-transform"; more_set_headers "Cache-Control : public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;

2
wo/cli/templates/nginx-core.mustache
View File

@@ -66,7 +66,7 @@ http {
more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "Referrer-Policy : no-referrer, strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen"; more_set_headers "X-Download-Options : noopen";
# oscp settings # oscp settings

10
wo/cli/templates/wpcommon.mustache
View File

@@ -40,15 +40,15 @@ location @robots {
location /wp-content/uploads { location /wp-content/uploads {
location ~ \.(png|jpe?g)$ { location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding"; add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*"; more_set_headers 'Access-Control-Allow-Origin : *';
add_header Cache-Control "public, no-transform"; add_header Cache-Control "public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
try_files $uri$webp_suffix $uri =404; try_files $uri$webp_suffix $uri =404;
} }
location ~ \.php$ { location ~* \.(php|gz|log|zip|tar|rar}$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
deny all; deny all;
} }
} }
@@ -56,7 +56,7 @@ location /wp-content/uploads {
location /wp-content/plugins/ewww-image-optimizer/images { location /wp-content/plugins/ewww-image-optimizer/images {
location ~ \.(png|jpe?g)$ { location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding"; add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*"; more_set_headers 'Access-Control-Allow-Origin : *';
add_header Cache-Control "public, no-transform"; add_header Cache-Control "public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;
@@ -72,7 +72,7 @@ location /wp-content/plugins/ewww-image-optimizer/images {
location /wp-content/cache { location /wp-content/cache {
# Cache css & js files # Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ { location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
add_header "Access-Control-Allow-Origin" "*"; more_set_headers 'Access-Control-Allow-Origin : *';
access_log off; access_log off;
log_not_found off; log_not_found off;
expires 30d; expires 30d;