Werk #13194: Add several security HTTP headers

Component

Setup

Title

Add several security HTTP headers

Date

Oct 11, 2021

Level

Trivial Change

Class

New Feature

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.1.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p23	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This werk adds the following security headers:

LI:X-Frame-Options: sameorigin Only websites hosted on the same domain are allowed to include CMK as an frame. The Content-Security-Policy already constrains this. LI:X-XSS-Protection: 1; mode=block Enables the browser buitin XSS protection. LI:X-Permitted-Cross-Domain-Policies: none We do not ship cross-domain policies so we disable them with this header. LI:Referrer-Policy: origin-when-cross-origin Only send the origin as Referer to other sites.

You can overwrite these settings in the Apache config if you need to.

To the list of all Werks