Make sure security headers are always set

LeoColomb · LeoColomb · commit d84d94c7e1e3 · 2020-04-13T22:01:17.000+02:00
Closes #186
diff --git a/h5bp/internet_explorer/x-ua-compatible.conf b/h5bp/internet_explorer/x-ua-compatible.conf
@@ -17,5 +17,5 @@
 # https://msdn.microsoft.com/en-us/library/ff955275.aspx
 
 <IfModule mod_headers.c>
-    Header set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    Header always set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 </IfModule>
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
@@ -75,5 +75,5 @@
 
 <IfModule mod_headers.c>
     #                                   (1)                 (2)              (3)                 (4)                     (5)                         (6)
-    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
+    Header always set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
 </IfModule>
diff --git a/h5bp/security/referrer-policy.conf b/h5bp/security/referrer-policy.conf
@@ -22,5 +22,5 @@
 
 <IfModule mod_headers.c>
     #                                                             (1)
-    Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
 </IfModule>
diff --git a/h5bp/security/x-content-type-options.conf b/h5bp/security/x-content-type-options.conf
@@ -14,5 +14,5 @@
 # https://mimesniff.spec.whatwg.org/
 
 <IfModule mod_headers.c>
-    Header set X-Content-Type-Options "nosniff"
+    Header always set X-Content-Type-Options "nosniff"
 </IfModule>
diff --git a/h5bp/security/x-frame-options.conf b/h5bp/security/x-frame-options.conf
@@ -33,5 +33,5 @@
 # https://www.owasp.org/index.php/Clickjacking
 
 <IfModule mod_headers.c>
-    Header set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 </IfModule>
diff --git a/h5bp/security/x-xss-protection.conf b/h5bp/security/x-xss-protection.conf
@@ -37,5 +37,5 @@
 
 <IfModule mod_headers.c>
     #                           (1)    (2)
-    Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    Header always set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 </IfModule>
