Document best practice security headers option always with redirect (defense in depth)

[janwillemstegink]

https://en.internet.nl/site/www.workingornot.org/3182705/#

https://en.internet.nl/site/workingornot.org/3182706/

.htaccess content:

SetEnv no-gzip 1
Header always set Strict-Transport-Security "max-age=63072000"
Header set X-Content-Type-Options nosniff
Header set X-Xss-Protection "1; mode=block"
Header set Referrer-Policy same-origin
Header set X-Frame-Options SAMEORIGIN
Header set Content-Security-Policy "default-src 'none'; base-uri 'none'; frame-src 'self'; connect-src 'self'; form-action 'self'; font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; style-src 'unsafe-inline' 'self' data:; style-src-elem 'self' 'unsafe-inline' data: https://fonts.googleapis.com;"
Header set Permissions-Policy geolocation=()

Options +Indexes

<If "! (%{HTTP_HOST} =~ /^www.workingornot.org$/)">
Redirect 302 / https://www.workingornot.org/

ErrorDocument 404 /404.html

Redirect 302 /.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt

With escaping of dots visible in an image:

[WKobes]

• Duplicate of If redirected, HTTP security headers, except HSTS, should be gray in color. Internet.nl#1417 and also see the discussion in Skip specific headers on 301 or 302 redirect Internet.nl#378 (comment). Back then, the rationale was to keep requiring the headers as an defense-in-depth measure. You can serve these security headers by using the always keyword in your .htaccess file.

[janwillemstegink]

An defense-in-depth measure is no problem for me.

1. The question remains how to test and warn effectively.
2. Tuning testing (per security header type) may be a challenge for internet.nl.
3. The red colors on securityheaders.com, without following the redirect, also raises questions:
   https://securityheaders.com/?q=https%3A%2F%2Fworkingornot.org%2F

[janwillemstegink]

For me it now works in index.php as can be seen with https://internet.nl/site/workingornot.org/3186198/#

[janwillemstegink]

• Maybe a new kind of redirect could be done right after httpd;
• Apache could do it with a new redirect option in .htaccess;
• Scott Helme, behind securityheaders.com, will have his thoughts.

[janwillemstegink]

Indeed 'always' works:

Header always set Strict-Transport-Security "max-age=63072000"
Header always set X-Content-Type-Options nosniff
Header always set X-Xss-Protection "1; mode=block"
Header always set Referrer-Policy same-origin
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "default-src 'none'; base-uri 'none'; frame-src 'self'; connect-src 'self'; form-action 'self'; font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; style-src 'unsafe-inline' 'self' data:; style-src-elem 'self' 'unsafe-inline' data: https://fonts.googleapis.com;"
Header always set Permissions-Policy geolocation=()

[bwbroersma]

Maybe move this ticket to internetstandards/toolbox-wiki/?

[janwillemstegink]

https://securityheaders.com/?q=https%3A%2F%2Fwww.securityheaders.com%2F

Knowledge transfer should work after an issue like: Document please required stabilization having 'always' in security headers.
Visually comparing http headers colors becomes possible if internet.nl implements two columns: Without www and with www

The tool securityheaders.com

• may move to www.securityheaders.com
• may show a score for each of four columns: IPv4 without www - IPv6 without www - IPv4 with www - IPv6 with www
• may comment on documentation by internet.nl

[janwillemstegink]

For securityheaders.com modeling was necessary.
My newest tool to view security headers is operational:
https://securityheaders.hostingtool.org/