# HG changeset patch
# User IBBoard <dev@ibboard.co.uk>
# Date 1463242210 -3600
# Node ID ef0926ee389ab495626015ab2dc945ff9e0b5bcc
# Parent  e50dab7495d7d58eb121e1877eadf7b17fc8a398
Lock down Apache headers for security, based on https://securityheaders.io/

diff -r e50dab7495d7 -r ef0926ee389a modules/website/files/zzz-custom.conf
--- a/modules/website/files/zzz-custom.conf	Sat Apr 23 16:28:47 2016 +0100
+++ b/modules/website/files/zzz-custom.conf	Sat May 14 17:10:10 2016 +0100
@@ -78,3 +78,5 @@
 <IfModule headers_module>
 	header set X-Clacks-Overhead "GNU Terry Pratchett"
 </IfModule>
+
+ServerTokens Minor
\ No newline at end of file
diff -r e50dab7495d7 -r ef0926ee389a modules/website/manifests/https.pp
--- a/modules/website/manifests/https.pp	Sat Apr 23 16:28:47 2016 +0100
+++ b/modules/website/manifests/https.pp	Sat May 14 17:10:10 2016 +0100
@@ -29,7 +29,10 @@
   $logpart = $shortname
   $shortdomain = domain_to_short_domain($name)
 
-  $custom_conf0 = 'Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"'
+  $custom_conf0 = 'Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
+Header always set X-Xss-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+Header always set X-Frame-Options "SAMEORIGIN"'
 
   if $force_no_index {
     $custom_conf1 = "$custom_conf0
diff -r e50dab7495d7 -r ef0926ee389a modules/website/manifests/php.pp
--- a/modules/website/manifests/php.pp	Sat Apr 23 16:28:47 2016 +0100
+++ b/modules/website/manifests/php.pp	Sat May 14 17:10:10 2016 +0100
@@ -26,7 +26,8 @@
   }
   file { '/etc/php.d/custom-lockdown.ini':
     ensure => present,
-    content => 'allow_url_fopen = \'off\'',
+    content => 'allow_url_fopen = \'off\'
+    expose_php = Off',
   }
   file { '/etc/php.d/custom-php.ini':
     ensure => present,