Apache security

mattlambie · January 6, 2020, 1:35pm

Any chance of setting security headers in apache?

HTTP Security Header	Header Role	Status
X-Frame-Options	Protects against Clickjacking attacks	Not set
X-XSS-Protection	Mitigates Cross-Site Scripting (XSS) attacks	Not set
Strict-Transport-Security	Protects against man-in-the-middle attacks	Not set
X-Content-Type-Options	Prevents possible phishing or XSS attacks	Not set

flamingm0e · January 6, 2020, 2:12pm

As far as I know, Home Assistant doesn’t use Apache at all.

mattlambie · January 6, 2020, 9:33pm

Okie dokie, I thought it was a python driven apache webserver.

Either way, still could do with having the Security Headers sorted for that little extra security.

flamingm0e · January 6, 2020, 9:46pm

Home Assistant uses AIOHTTP

github.com

home-assistant/core/blob/376d4e4fa0bbcbfa07646f49f9d8fd56c8c0df3c/homeassistant/components/http/init.py#L13


      
          
          For more details about this component, please refer to the documentation at
          https://home-assistant.io/components/http/
          """
          from ipaddress import ip_network
          import logging
          import os
          import ssl
          from typing import Optional
          
          from aiohttp import web
          from aiohttp.web_exceptions import HTTPMovedPermanently
          import voluptuous as vol
          
          from homeassistant.const import (
              EVENT_HOMEASSISTANT_START, EVENT_HOMEASSISTANT_STOP, SERVER_PORT)
          import homeassistant.helpers.config_validation as cv
          import homeassistant.util as hass_util
          from homeassistant.util.logging import HideSensitiveDataFilter
          from homeassistant.util import ssl as ssl_util

Feel free to submit a pull request.