dny24

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter dny24

    (@dny24)

    PS Carl,

    I found something else:
    For Feature policy, normal code is – for instance –
    Header set Expect-CT “max-age=86400,enforce”

    HTTP Security Options writes it in reverse:
    Header set Expect-CT: enforce; max-age=86400;

    This gives errors (misconfiguration or weakness)
    when using website security test.

    Of course this is intended as ‘positive critique constructive’.

    Best regards,

    Danny

    Thread Starter dny24

    (@dny24)

    Goodmorning Carl,

    Thanks for your reply.

    It doesn’t matter with value I give for base-uri,
    like ‘self’, ‘none’, ‘unsafe-hashes’ etc.
    The outcome of what HTTP Security Options write is the same:
    base-uri ;
    So nothing is written.

    Normally; I would see something like:
    <IfModule mod_headers.c>
    Header set Content-Security-Policy “base-uri ‘self'”;
    </IfModule>

    So it looks like a bug.
    But maybe I miss something…

    Beste regards,

    Danny

Viewing 2 replies - 1 through 2 (of 2 total)