Add config for http_response_headers module

2025-12-05 17:49:22 -05:00 · 2025-12-05 17:49:22 -05:00 · 278c1c661b
commit 278c1c661b
parent 8abb36d3bb
12 changed files with 142 additions and 0 deletions
--- a/config/core.extension.yml
+++ b/config/core.extension.yml
@ -62,6 +62,7 @@ module:
  gin_toolbar: 0
  help: 0
  history: 0
+  http_response_headers: 0
  image: 0
  image_widget_crop: 0
  jquery_ui: 0
--- a/config/http_response_headers.response_header.access_control_allow_origin.yml
+++ b/config/http_response_headers.response_header.access_control_allow_origin.yml
@ -0,0 +1,12 @@
+uuid: fa327e7c-3cab-4ea8-ba4b-d2c34a05a23e
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: jiYdwY3CosYS2LwI7rEJboBZ4h4lh4NaUGc31nkShPI
+id: access_control_allow_origin
+label: Access-Control-Allow-Origin
+description: 'Access-Control-Allow-Origin is apart of the Cross Origin Resource Sharing (CORS) specification. This header is used to determine which sites are allowed to access the resource by defining either a single origin or all sites (denoted by a wildcard value).'
+name: Access-Control-Allow-Origin
+value: '*'
+visibility: {  }
--- a/config/http_response_headers.response_header.content_security_policy.yml
+++ b/config/http_response_headers.response_header.content_security_policy.yml
@ -0,0 +1,12 @@
+uuid: e1cccab9-59b6-4586-ad7f-dc1b05975d44
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: vm-IJzaf6_rD43UbNf5XszM3uyG3n30GUMK7FQVQSqw
+id: content_security_policy
+label: Content-Security-Policy
+description: 'This HTTP header parameter allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site you will have extra level of protection from XSS attacks.'
+name: Content-Security-Policy
+value: ''
+visibility: {  }
--- a/config/http_response_headers.response_header.default_caching.yml
+++ b/config/http_response_headers.response_header.default_caching.yml
@ -0,0 +1,21 @@
+uuid: 79489f95-2a0c-4ff6-b500-2724ee3f6f7a
+langcode: en
+status: true
+dependencies: {  }
+id: default_caching
+label: 'Default caching'
+description: "Setting cache-control to public for content accessible to anonymous visitors.\r\n"
+name: cache-control
+value: 'public, max-age=600'
+visibility:
+  condition_group:
+    id: condition_group
+    negate: false
+    block_visibility_group: ''
+  user_role:
+    id: user_role
+    negate: false
+    context_mapping:
+      user: '@user.current_user_context:current_user'
+    roles:
+      anonymous: anonymous
--- a/config/http_response_headers.response_header.public_key_pins.yml
+++ b/config/http_response_headers.response_header.public_key_pins.yml
@ -0,0 +1,12 @@
+uuid: 5eb46a95-44ae-4d6e-a696-b08fd3416dd0
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: QnihCO4_FUzmixcXqUFF2z8WsUZt-Llst3ovAoeXZ0E
+id: public_key_pins
+label: Public-Key-Pins
+description: 'HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates.'
+name: Public-Key-Pins
+value: ''
+visibility: {  }
--- a/config/http_response_headers.response_header.referrer_policy.yml
+++ b/config/http_response_headers.response_header.referrer_policy.yml
@ -0,0 +1,12 @@
+uuid: c7a87497-2a63-4bc9-9020-5ce2cd123165
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: JSZo_FSu2YFf7fXKgHhgJGvzRNHDcmakAcXGR4jCf-s
+id: referrer_policy
+label: Referrer-Policy
+description: 'Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.'
+name: Referrer-Policy
+value: strict-origin-when-cross-origin
+visibility: {  }
--- a/config/http_response_headers.response_header.strict_transport_security.yml
+++ b/config/http_response_headers.response_header.strict_transport_security.yml
@ -0,0 +1,12 @@
+uuid: 3605bea5-aa9f-472e-b1f0-70dc7227b22f
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: EzF-BPkjidXdWfV5ZguA1GZG1XlRg3gh8_E7Oi9MdtM
+id: strict_transport_security
+label: Strict-Transport-Security
+description: 'This policy will enforce TLS on your site and all subdomains for a year.'
+name: Strict-Transport-Security
+value: 'max-age=31536000; includeSubDomains'
+visibility: {  }
--- a/config/http_response_headers.response_header.x_content_type_options.yml
+++ b/config/http_response_headers.response_header.x_content_type_options.yml
@ -0,0 +1,12 @@
+uuid: 7a4d4776-1986-473f-8dc2-e9774e27094a
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: qRI3wEmvqepaLI3hMH5U_tq_svkQ6s-7cgAmZKO-F4A
+id: x_content_type_options
+label: X-Content-Type-Options
+description: 'This header parameter prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.'
+name: X-Content-Type-Options
+value: nosniff
+visibility: {  }
--- a/config/http_response_headers.response_header.x_frame_options.yml
+++ b/config/http_response_headers.response_header.x_frame_options.yml
@ -0,0 +1,12 @@
+uuid: af80c7d0-6dbf-4338-b7e1-95e95f49bba5
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: aCpW04rpcXDf65J6xXwCkplv2TKA64ANULWPnidTXwE
+id: x_frame_options
+label: X-Frame-Options
+description: "Clickjacking protection. Valid values include <em>DENY</em> meaning your site can't be framed, <em>SAMEORIGIN</em> which allows you to frame your own site or <em>ALLOW-FROM https://example.com/</em> which lets you specify sites that are permitted to frame"
+name: X-Frame-Options
+value: SAMEORIGIN
+visibility: {  }
--- a/config/http_response_headers.response_header.x_generator.yml
+++ b/config/http_response_headers.response_header.x_generator.yml
@ -0,0 +1,12 @@
+uuid: 5883aa74-8604-4b8b-a88a-378ab708f1c0
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: rVXSHnFplX0srS0yj58pNNp_cHSe07Q-YnpBHUX4xUY
+id: x_generator
+label: X-Generator
+description: 'Allows the declaration of the CMS type and version to be modified.'
+name: X-Generator
+value: ''
+visibility: {  }
--- a/config/http_response_headers.response_header.x_powered_by.yml
+++ b/config/http_response_headers.response_header.x_powered_by.yml
@ -0,0 +1,12 @@
+uuid: e5a4547c-2fc5-4ebc-8111-0b85bcb655e4
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: qN2wWwIBQbvvZJ3v_gPS6_atvVWy-iU55c5Tdj_MqFQ
+id: x_powered_by
+label: X-Powered-By
+description: "The X-Powered-By header gives information on the technology that's supporting the Web Server. It is best not to provide this information."
+name: X-Powered-By
+value: ''
+visibility: {  }
--- a/config/http_response_headers.response_header.x_xss_protection.yml
+++ b/config/http_response_headers.response_header.x_xss_protection.yml
@ -0,0 +1,12 @@
+uuid: 26090083-85fd-483e-b029-83582abecdfb
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: xjdq0o6GzQSm6T11WcRHJ3A_DGGSEYiLrmqhLM8hpWQ
+id: x_xss_protection
+label: X-Xss-Protection
+description: "This response header can be used to configure a user-agent's built in reflective XSS protection. Currently, only Microsoft's Internet Explorer, Google Chrome and Safari (WebKit) support this header."
+name: X-Xss-Protection
+value: '1; mode=block'
+visibility: {  }