From 00df1caeb78113cf7b32ea7a184e45ec47d95a94 Mon Sep 17 00:00:00 2001
From: Marcel Arns <marcel.arns@clockin.de>
Date: Tue, 16 Dec 2025 08:56:08 +0100
Subject: [PATCH 1/3] Fix blocking .well-known path for FrankenPHP

---
 .../frankenphp/etc/frankenphp/Caddyfile       | 41 ++++++++++++++++++-
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index 56691112..ad7a91d3 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -91,6 +91,39 @@ fd00::/8 \
 	}
 	log_skip @healthcheckpath
 
+    # Define specific endpoint under .well-known/
+    # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
+    # https://en.wikipedia.org/wiki/Well-known_URI
+    @wellknown-allowed {
+        # ACME
+        path /.well-known/acme-challenge/*
+
+        # Security & identity
+        path /.well-known/security.txt
+
+        # OAuth / OpenID
+        path /.well-known/openid-configuration
+        path /.well-known/oauth-authorization-server
+
+        # Mobile / platform verification
+        # https://developer.apple.com/documentation/xcode/supporting-associated-domains
+        path /.well-known/assetlinks.json
+        path /.well-known/apple-app-site-association
+        path /.well-known/apple-developer-merchantid-domain-association
+
+        # Passkey support
+        path /.well-known/passkey-endpoints
+        path /.well-known/webauthn
+    }
+
+    handle @wellknown-allowed {
+        file_server
+    }
+
+    # Block everything else under .well-known
+    @wellknown-blocked path /.well-known/*
+    respond @wellknown-blocked 403
+
 	php_server {
 		{$CADDY_PHP_SERVER_OPTIONS}
 	}
@@ -127,8 +160,12 @@ fd00::/8 \
 }
 
 (security) {
-	# Reject dot files and certain file extensions
-	@rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
+	# Reject dot files and certain file extensions, excluding .well-known/
+	@rejected {
+	  path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
+      # .well-known needs to be whitelisted, further handling in php-app-common
+      not path /.well-known/*
+    }
 
 	# Return 403 Forbidden for rejected files
 	respond @rejected 403

From 41f70d11d1aa7e68ccf688dd6a6ed1602662abe7 Mon Sep 17 00:00:00 2001
From: Jay Rogers <jaydrogers@users.noreply.serversideup.net>
Date: Wed, 14 Jan 2026 14:37:27 -0600
Subject: [PATCH 2/3] Remove specific endpoint checks because the whole folder
 should be allowed

---
 .../frankenphp/etc/frankenphp/Caddyfile       | 33 -------------------
 1 file changed, 33 deletions(-)

diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index ad7a91d3..252b8ee5 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -91,39 +91,6 @@ fd00::/8 \
 	}
 	log_skip @healthcheckpath
 
-    # Define specific endpoint under .well-known/
-    # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
-    # https://en.wikipedia.org/wiki/Well-known_URI
-    @wellknown-allowed {
-        # ACME
-        path /.well-known/acme-challenge/*
-
-        # Security & identity
-        path /.well-known/security.txt
-
-        # OAuth / OpenID
-        path /.well-known/openid-configuration
-        path /.well-known/oauth-authorization-server
-
-        # Mobile / platform verification
-        # https://developer.apple.com/documentation/xcode/supporting-associated-domains
-        path /.well-known/assetlinks.json
-        path /.well-known/apple-app-site-association
-        path /.well-known/apple-developer-merchantid-domain-association
-
-        # Passkey support
-        path /.well-known/passkey-endpoints
-        path /.well-known/webauthn
-    }
-
-    handle @wellknown-allowed {
-        file_server
-    }
-
-    # Block everything else under .well-known
-    @wellknown-blocked path /.well-known/*
-    respond @wellknown-blocked 403
-
 	php_server {
 		{$CADDY_PHP_SERVER_OPTIONS}
 	}

From d654f3e2bc9957c87a9c7f35a3c4f50c8fe7c310 Mon Sep 17 00:00:00 2001
From: Jay Rogers <jaydrogers@users.noreply.serversideup.net>
Date: Wed, 14 Jan 2026 15:59:58 -0600
Subject: [PATCH 3/3] Enhance security configurations across Apache, NGINX, and
 Caddy by implementing best practices for HTTP headers and file access
 restrictions. Added protections against clickjacking, MIME type sniffing, and
 sensitive file exposure while allowing necessary access to well-known URIs as
 per RFC 8615.

---
 .../etc/apache2/conf-available/security.conf  | 137 ++++++++----------
 .../etc/nginx/server-opts.d/security.conf     |  49 +++++--
 .../frankenphp/etc/frankenphp/Caddyfile       |  36 +++--
 3 files changed, 119 insertions(+), 103 deletions(-)

diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
index 43957f47..990648e7 100644
--- a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
+++ b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
@@ -1,98 +1,77 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
 #
-# Disable access to the entire file system except for the directories that
-# are explicitly allowed later.
+#   H5BP Server Configs (Apache)
+#   https://github.com/h5bp/server-configs-apache
 #
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+#   OWASP Secure Headers Project
+#   https://owasp.org/www-project-secure-headers/
 #
-#<Directory />
-#   AllowOverride None
-#   Require all denied
-#</Directory>
-
+#   RFC 8615 - Well-Known URIs
+#   https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
 
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
+# ------------------------------------------------------------------------------
+# | Server Software Information                                                |
+# ------------------------------------------------------------------------------
 
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-# ServerTokens OS
-# #ServerTokens Full
+# Minimize information sent about the server
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
 ServerTokens Prod
 
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of:  On | Off | EMail
+# Disable server signature on error pages
+# https://httpd.apache.org/docs/current/mod/core.html#serversignature
 ServerSignature Off
-# ServerSignature On
 
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of:  On | Off | extended
+# Disable TRACE HTTP method to prevent XST attacks
+# https://owasp.org/www-community/attacks/Cross_Site_Tracing
 TraceEnable Off
-#TraceEnable On
 
-#
-# Forbid access to version control directories
-#
-# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
-#
-<DirectoryMatch "/\.git">
-   Require all denied
+# ------------------------------------------------------------------------------
+# | Security Headers                                                           |
+# ------------------------------------------------------------------------------
+
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
+Header always set X-Frame-Options "SAMEORIGIN"
+
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
+Header always set X-Content-Type-Options "nosniff"
+
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+# ------------------------------------------------------------------------------
+# | File Access Restrictions                                                   |
+# ------------------------------------------------------------------------------
+
+# Block access to all hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-apache
+<DirectoryMatch "/\.(?!well-known/)">
+    Require all denied
 </DirectoryMatch>
 
-# Prevent Apache from serving Gitlab files
-<FilesMatch "\.gitlab-ci.yml$">
-   Require all denied
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
+<FilesMatch "(^#.*#|\.(bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$">
+    Require all denied
 </FilesMatch>
 
 # Disable XML-RPC on all wordpress sites
 <Files xmlrpc.php>
    Require all denied
 # allow from xxx.xxx.xxx.xxx
-</Files>
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Frame-Options: "sameorigin"
-
-#
-# Referrer policy
-#
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-#
-# Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-# 
-#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
-
-#
-# Strict-Transport-Security Policy (set HSTS)
-#
-Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
\ No newline at end of file
+</Files>
\ No newline at end of file
diff --git a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
index e9056298..19986ee3 100644
--- a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
+++ b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
@@ -1,24 +1,51 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
+#
+#   H5BP Server Configs (nginx)
+#   https://github.com/h5bp/server-configs-nginx
 #
-# Security Headers
+#   OWASP Secure Headers Project
+#   https://owasp.org/www-project-secure-headers/
 #
+#   RFC 8615 - Well-Known URIs
+#   https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
 
-# Prevent IFRAME spoofing attacks
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
 add_header X-Frame-Options           "SAMEORIGIN" always;
 
-# Prevent MIME attacks
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
 add_header X-Content-Type-Options    "nosniff" always;
 
-# Prevent Referrer URL from being leaked
-add_header Referrer-Policy           "no-referrer-when-downgrade" always;
-
-# Configure Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
 
-# Enable HSTS
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
-# Prevent access to . files (the well-known directory)
+# ------------------------------------------------------------------------------
+# | File Access Restrictions                                                   |
+# ------------------------------------------------------------------------------
+
+# Block access to hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-nginx
 location ~ /\.(?!well-known) {
     deny all;
+}
+
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx
+location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ {
+    deny all;
 }
\ No newline at end of file
diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index 252b8ee5..e914049c 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -127,28 +127,38 @@ fd00::/8 \
 }
 
 (security) {
-	# Reject dot files and certain file extensions, excluding .well-known/
+	# This configuration follows security best practices from:
+	#
+	#   H5BP Server Configs (nginx) - Adapted for Caddy
+	#   https://github.com/h5bp/server-configs-nginx
+	#
+	#   OWASP Secure Headers Project
+	#   https://owasp.org/www-project-secure-headers/
+	#
+	#   RFC 8615 - Well-Known URIs
+	#   https://www.rfc-editor.org/rfc/rfc8615
+
+	# Block access to files that may expose sensitive information
 	@rejected {
-	  path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
-      # .well-known needs to be whitelisted, further handling in php-app-common
-      not path /.well-known/*
-    }
-
-	# Return 403 Forbidden for rejected files
+		path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.*
+		# EXCEPTION: /.well-known/* is allowed per RFC 8615 for ACME challenges
+		# https://www.rfc-editor.org/rfc/rfc8615
+		not path /.well-known/*
+	}
 	respond @rejected 403
 
-	# Security headers
+	# Security Headers
+	# https://owasp.org/www-project-secure-headers/
 	header {
 		defer
-		# Prevent IFRAME spoofing attacks
+		# Prevent clickjacking attacks by disabling iframe embedding
 		X-Frame-Options "SAMEORIGIN"
-		# Prevent MIME type sniffing
+		# Prevent MIME type sniffing attacks
 		X-Content-Type-Options "nosniff"
-		# Prevent referrer leakage
+		# Control referrer information sent with requests
 		Referrer-Policy "strict-origin-when-cross-origin"
-		# Prevent server header leakage
+		# Remove server identification headers
 		-Server
-		# Prevent powered by header leakage
 		-X-Powered-By
 	}
 }