apache2: add secure flag header when enforce_ssl

The Secure attribute tells the browser to only send the cookie if the
request is being sent over a secure channel such as HTTPS. This will
help protect the cookie from being passed over unencrypted requests.

Change-Id: I1ded951d79ad9fa832d1e88f656a1e064b1ef007
Closes-bug: #1822751
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
This commit is contained in:
Sahid Orentino Ferdjaoui 2019-04-02 12:14:23 +02:00 committed by sahid
parent 115790bac6
commit 101098a1c2

View File

@ -44,6 +44,7 @@ NameVirtualHost *:{{ 443 }}
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
{% if enforce_ssl %}
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
{% endif %}
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"