Configuring Control Center Security Headers
HTTP responses returned by Control Center contain HTTP security headers. These security
headers can be edited in the file /etc/netrounds/netrounds.conf
.
The table below shows:
- the name of each security header
- the name of the setting name in
/etc/netrounds/netrounds.conf
that stores the value assigned to that header - the default value for the header.
HTTP security header |
Setting name in netrounds.conf |
Default value |
---|---|---|
Content-Security-Policy |
|
("default-src 'self' https: http: ws: data: 'unsafe-inline' 'unsafe-eval';" " script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com;" " img-src 'self' *.google-analytics.com data:") |
Expect-CT |
|
|
Public-Key-Pins |
|
|
Referrer-Policy |
|
|
X-Content-Type-Options |
|
nosniff |
X-Frame-Options |
|
|
X-Permitted-Cross-Domain-Policies |
|
|
X-XSS-Protection |
|
1; mode=block |
Headers with the value None will not be sent in the HTTP response.
To edit one or more of the security headers listed above, proceed as follows:
- Open as root user (or using sudo) the file
/etc/netrounds/netrounds.conf
. - Uncomment the security header(s) of interest if they are commented out, removing the hashes ("#").
- Change the security header value as desired.
- Save and close the file.
-
Reload the Apache service:
sudo systemctl reload apache2
-
Verify that the security headers are updated by running:
$ curl -k -I <Control Center URL>
Note: The URL must match theSITE_URL
entry in/etc/netrounds/netrounds.conf
, and thehttps://
prefix must be included.
Below is an example of output from the verification step:
$ curl -k -I https://my_paa_control_center_url.com HTTP/1.1 200 OK Date: Mon, 26 Sep 2022 11:24:40 GMT Server: Apache/2.4.29 (Ubuntu) Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(self), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), speaker-selection=(), usb=(), web-share=(), xr-spatial-tracking=() Vary: Cookie,Accept-Encoding Content-Security-Policy: default-src 'self' https: http: ws: data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com; img-src 'self' *.google-analytics.com data: X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: strict-origin X-Frame-Options: SAMEORIGIN Set-Cookie: csrftoken=1IhGe7pnyifwNh0fUI5mTCTSrOTiKXM7CXE526wewr6lSBCQsfiPmmCgamikBLVb; expires=Mon, 25-Sep-2023 11:24:42 GMT; Max-Age=31449600; Path=/; Secure Content-Type: text/html; charset=utf-8