cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

e9458b1a7a19a63aa4c179f9ab20f4d50681c168Jens Elkner#

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu# Load the module if not already present

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu<IfModule !mod_policy.c>

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu LoadModule policy_module modules/mod_policy.so

e060b32d1b744cf0e152a4167516e554d52b9566Felix Gabriel Mance</IfModule>

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu#

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu# Typical policy for static content.

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu# Swap "enforce" for "log" to complain about violations rather

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu# than failing.

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu<Location />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu SetOutputFilter POLICY_TYPE;POLICY_LENGTH;POLICY_KEEPALIVE;POLICY_VARY;POLICY_VALIDATION;POLICY_CONDITIONAL;POLICY_NOCACHE;POLICY_MAXAGE

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu # content type must be present and valid, but can be anything<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyType enforce */*<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

a604cbad8e2202147b5c6bb9f2e06ae61162d654Felix Gabriel Mance # reject if no explicitly declared content length<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyLength enforce<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

928291e1beb4df5ec1f595188b64eab7c2adbb80Felix Gabriel Mance # covered by the policy length filter<br />

da1d1913038a4f103fdc9f8e6d9a6e57935a0363Christian Maeder PolicyKeepalive ignore<br />

da1d1913038a4f103fdc9f8e6d9a6e57935a0363Christian Maeder

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu # reject if User-Agent appears within Vary headers<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyVary enforce User-Agent<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance # we want to enforce validation<br />

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance PolicyValidation enforce<br />

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance # non-functional conditional responses should be rejected<br />

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance PolicyConditional enforce<br />

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance # no-cache responses should be rejected<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyNocache enforce<br />

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance # maxage must be at least a day<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyMaxage enforce 86400<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance # request version can be anything<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyVersion ignore HTTP/1.1<br />

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu # define documentation links

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyConditionalURL http://httpd.apache.org/docs/trunk/compliance.html#policyconditional

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyLengthURL http://httpd.apache.org/docs/trunk/compliance.html#policylength

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyTypeURL http://httpd.apache.org/docs/trunk/compliance.html#policytype

bb27ba1ae1777523ca4314d39784c44c10c28a63Felix Gabriel Mance PolicyKeepaliveURL http://httpd.apache.org/docs/trunk/compliance.html#policykeepalive

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyMaxageURL http://httpd.apache.org/docs/trunk/compliance.html#policymaxage

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyNocacheURL http://httpd.apache.org/docs/trunk/compliance.html#policynocache

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyValidationURL http://httpd.apache.org/docs/trunk/compliance.html#policyvalidation

01cc436133989c6ff3b032222abd5a8374ab333cFelix Gabriel Mance PolicyVaryURL http://httpd.apache.org/docs/trunk/compliance.html#policyvary

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyVersionURL http://httpd.apache.org/docs/trunk/compliance.html#policyversion

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu</Location>

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu#

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu# Server status can be bypassed

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu<Location /server-status>

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu PolicyFilter off

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu</Location>

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu

cfef5fbf3f423a76c96c7c3b1e87af0728d974d9Francisc Nicolae Bungiu