diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
index 43957f476..990648e7f 100644
--- a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
+++ b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
@@ -1,98 +1,77 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
#
-# Disable access to the entire file system except for the directories that
-# are explicitly allowed later.
+# H5BP Server Configs (Apache)
+# https://github.com/h5bp/server-configs-apache
#
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+# OWASP Secure Headers Project
+# https://owasp.org/www-project-secure-headers/
#
-#
-# AllowOverride None
-# Require all denied
-#
-
+# RFC 8615 - Well-Known URIs
+# https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
+# ------------------------------------------------------------------------------
+# | Server Software Information |
+# ------------------------------------------------------------------------------
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of: Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-# ServerTokens OS
-# #ServerTokens Full
+# Minimize information sent about the server
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
ServerTokens Prod
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of: On | Off | EMail
+# Disable server signature on error pages
+# https://httpd.apache.org/docs/current/mod/core.html#serversignature
ServerSignature Off
-# ServerSignature On
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of: On | Off | extended
+# Disable TRACE HTTP method to prevent XST attacks
+# https://owasp.org/www-community/attacks/Cross_Site_Tracing
TraceEnable Off
-#TraceEnable On
-#
-# Forbid access to version control directories
-#
-# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
-#
-
- Require all denied
+# ------------------------------------------------------------------------------
+# | Security Headers |
+# ------------------------------------------------------------------------------
+
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
+Header always set X-Frame-Options "SAMEORIGIN"
+
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
+Header always set X-Content-Type-Options "nosniff"
+
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+# ------------------------------------------------------------------------------
+# | File Access Restrictions |
+# ------------------------------------------------------------------------------
+
+# Block access to all hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-apache
+
+ Require all denied
-# Prevent Apache from serving Gitlab files
-
- Require all denied
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
+
+ Require all denied
# Disable XML-RPC on all wordpress sites
Require all denied
# allow from xxx.xxx.xxx.xxx
-
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Frame-Options: "sameorigin"
-
-#
-# Referrer policy
-#
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-#
-# Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#
-#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
-
-#
-# Strict-Transport-Security Policy (set HSTS)
-#
-Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
\ No newline at end of file
+
\ No newline at end of file
diff --git a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
index e90562983..19986ee33 100644
--- a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
+++ b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
@@ -1,24 +1,51 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
+#
+# H5BP Server Configs (nginx)
+# https://github.com/h5bp/server-configs-nginx
#
-# Security Headers
+# OWASP Secure Headers Project
+# https://owasp.org/www-project-secure-headers/
#
+# RFC 8615 - Well-Known URIs
+# https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
-# Prevent IFRAME spoofing attacks
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
add_header X-Frame-Options "SAMEORIGIN" always;
-# Prevent MIME attacks
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
add_header X-Content-Type-Options "nosniff" always;
-# Prevent Referrer URL from being leaked
-add_header Referrer-Policy "no-referrer-when-downgrade" always;
-
-# Configure Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-# Enable HSTS
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-# Prevent access to . files (the well-known directory)
+# ------------------------------------------------------------------------------
+# | File Access Restrictions |
+# ------------------------------------------------------------------------------
+
+# Block access to hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-nginx
location ~ /\.(?!well-known) {
deny all;
+}
+
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx
+location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ {
+ deny all;
}
\ No newline at end of file
diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index 566911126..e914049cd 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -127,24 +127,38 @@ fd00::/8 \
}
(security) {
- # Reject dot files and certain file extensions
- @rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
-
- # Return 403 Forbidden for rejected files
+ # This configuration follows security best practices from:
+ #
+ # H5BP Server Configs (nginx) - Adapted for Caddy
+ # https://github.com/h5bp/server-configs-nginx
+ #
+ # OWASP Secure Headers Project
+ # https://owasp.org/www-project-secure-headers/
+ #
+ # RFC 8615 - Well-Known URIs
+ # https://www.rfc-editor.org/rfc/rfc8615
+
+ # Block access to files that may expose sensitive information
+ @rejected {
+ path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.*
+ # EXCEPTION: /.well-known/* is allowed per RFC 8615 for ACME challenges
+ # https://www.rfc-editor.org/rfc/rfc8615
+ not path /.well-known/*
+ }
respond @rejected 403
- # Security headers
+ # Security Headers
+ # https://owasp.org/www-project-secure-headers/
header {
defer
- # Prevent IFRAME spoofing attacks
+ # Prevent clickjacking attacks by disabling iframe embedding
X-Frame-Options "SAMEORIGIN"
- # Prevent MIME type sniffing
+ # Prevent MIME type sniffing attacks
X-Content-Type-Options "nosniff"
- # Prevent referrer leakage
+ # Control referrer information sent with requests
Referrer-Policy "strict-origin-when-cross-origin"
- # Prevent server header leakage
+ # Remove server identification headers
-Server
- # Prevent powered by header leakage
-X-Powered-By
}
}