Hi, it looks like it doesn't occur with static files using lynx. I also
checked with the homepage, and same result - X-Frame-Options only shows
SAMEORIGIN and does not include GOFORIT.
$ lynx -head -dump
https://linuxsecurity.com/static-content/linuxsecurity_advisories.xml HTTP/1.1 200 OK
Date: Thu, 02 Sep 2021 15:08:39 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Thu, 02 Sep 2021 15:00:02 GMT
ETag: W/"2282-5cb046ff9b981-gzip"
Cache-Control: max-age=300
Expires: Thu, 02 Sep 2021 15:12:20 GMT
Vary: Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: geolocation 'self'; vibrate 'none'
Content-Security-Policy: frame-ancestors 'self'
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Content-Type-Options: nosniff
Age: 78
X-Cache: HIT from linuxsecurity.com
X-Cache-Detail: "cache hit" from linuxsecurity.com
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800,
report-uri="
https://report-uri.cloudflare.com/cdn-cgi /beacon/expect-ct"
Report-To:
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Uk
C0MKV7N2kk6yllw9WQA5IlyNXkPlocDP9bk4SdU3geD8ODmI7n2W11DoMmsuRiQ6RImPfZSkCRSGZynM
qvwjLGZ1qs5WN0WpFfnVoPI85wlD%2BF76XyY7Yc0T9zJz6G68YM"}],"group":"cf-nel","max_ag
e":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6887a7a89cc5f031-EWR
Does that mean the test I used that showed GOFORIT is inaccurate?
The scan also reported that the permissions header was incorrect, and
suggested we add the following:
Permissions-Policy: interest-cohort=()
Do you have any recommendations for other security settings that should
be configured:
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>
Thanks,
Dave
On 9/1/21 7:43 PM, Eric Covener wrote:
> On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski
> <dwreski@guardiandigital.com.invalid> wrote:
>> Hi,
>>
>> I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT.
>>
>> The only settings we have are the following:
>>
>> <IfModule mod_headers.c>
>> Header set X-XSS-Protection "1; mode=block"
>> Header set X-Frame-Options "SAMEORIGIN"
>> Header set X-Content-Type-Options "nosniff"
>> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
>> Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
>> Header set Content-Security-Policy "frame-ancestors 'self'"
>> </IfModule>
>>
>> No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?
> No. I'd veifry with a command-line client and see if it happens even
> for static files.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org