[gimp-web/oscp] Add HSTS and CSP headers

[Michael Schumacher <schumaml src gnome org>]

commit 8e3670911c85ee59b295172e1bbf8fd1d2686bd1
Author: Michael Schumacher <schumaml gmx de>
Date:   Thu Mar 26 22:54:17 2020 +0100

    Add HSTS and CSP headers

 .../app_data/httpd-cfg/download.gimp.org.conf      | 24 ++++++++++++++++++++++
 1 file changed, 24 insertions(+)
---
diff --git a/download.gimp.org/app_data/httpd-cfg/download.gimp.org.conf 
b/download.gimp.org/app_data/httpd-cfg/download.gimp.org.conf
index 944136bd..6b707d60 100644
--- a/download.gimp.org/app_data/httpd-cfg/download.gimp.org.conf
+++ b/download.gimp.org/app_data/httpd-cfg/download.gimp.org.conf
@@ -11,6 +11,30 @@
     DocumentRoot /ftp
     AddType application/x-apple-diskimage .dmg
 
+    ##
+    # Headers relevant to security
+    ##
+
+    # Only connect to this site via HTTPS for the next year (recommended)
+    Header always set Strict-Transport-Security "max-age=31536000"
+
+    # Only allow my site to frame itself
+    Header always set X-Frame-Options "SAMEORIGIN"
+
+    # Block pages from loading when they detect reflected XSS attacks
+    Header always set X-XSS-Protection "1; mode=block"
+
+    # Prevent browsers from incorrectly detecting non-scripts as scripts
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Disable unsafe inline/eval, only load resources from same origin
+    # Also disables the execution of plugins
+    Header always set Content-Security-Policy "default-src 'self'; object-src 'none'"
+
+    ##
+    # Rewrite rules
+    ##
+
     RewriteEngine On
     RewriteMap servers rnd:/opt/app-root/src/download.gimp.org.map