Skip to content

Commit

Permalink
Allow ETag headers for Journalist Interface
Browse files Browse the repository at this point in the history
ETags are useful to the journalist API to ensure file integrity, and in the future would allow file download resumption. Disabling ETags is a defense against information leakage https://nvd.nist.gov/vuln/detail/CVE-2003-1418. Since inodes are no longer included by Apache by default, since 2.3.14, that Apache only exposes filesize and MTime by default (information readily available on the Journalist interface, that the Journalist Interface is behind ATHS, it should be safe to re-enable ETags on the journalist interface only.
  • Loading branch information
emkll committed Mar 21, 2019
1 parent 12977cc commit febee2b
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ Header set X-Content-Type-Options: nosniff
Header set X-Download-Options: noopen
Header set X-Content-Security-Policy: "default-src 'self'"
Header set Content-Security-Policy: "default-src 'self'"
Header unset Etag

# Limit the max submitted size of requests.
LimitRequestBody 524288000
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
"Header set X-Content-Security-Policy: \"default-src 'self'\"",
"Header set Content-Security-Policy: \"default-src 'self'\"",
'Header set Referrer-Policy "no-referrer"',
'Header unset Etag',
]


Expand Down

0 comments on commit febee2b

Please sign in to comment.