Topic: securityheaders.com的Security header 檢查
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? 3.6(LDAP)
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi 版主:
經由 securityheaders.com 網站做 header 檢查 出現3個不好訊息:
Missing Headers : Strict-Transport-Security 及 Feature-Policy
Warnings : Content-Security-Policy
此網站檢查可靠性如何 ? 上面的訊息有需要排除? 如何排除 ?
在 /etc/nginx/conf-enabled/headers.conf 我試過修改及新增下面:
add_header Strict-Transport-Security includeSubdomains;
#add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header Content-Security-Policy "default-src https: data: ; script-src 'self'";
add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
經由上面修改 , 是可得到A+ ; 但我的phpLDAPadmin 在操作上"左半面無法正常顯示" , 但功能還可操作.
iRedAdmin-Pro 後端 ,roundcube 皆可正常操作.
感謝.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.