From 278c1c661b8ddefeadffeb422cd3ebacb3efa799 Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Fri, 5 Dec 2025 17:49:22 -0500
Subject: [PATCH] Add config for http_response_headers module

---
 config/core.extension.yml                     |  1 +
 ...nse_header.access_control_allow_origin.yml | 12 +++++++++++
 ...esponse_header.content_security_policy.yml | 12 +++++++++++
 ...eaders.response_header.default_caching.yml | 21 +++++++++++++++++++
 ...eaders.response_header.public_key_pins.yml | 12 +++++++++++
 ...eaders.response_header.referrer_policy.yml | 12 +++++++++++
 ...ponse_header.strict_transport_security.yml | 12 +++++++++++
 ...response_header.x_content_type_options.yml | 12 +++++++++++
 ...eaders.response_header.x_frame_options.yml | 12 +++++++++++
 ...se_headers.response_header.x_generator.yml | 12 +++++++++++
 ...e_headers.response_header.x_powered_by.yml | 12 +++++++++++
 ...aders.response_header.x_xss_protection.yml | 12 +++++++++++
 12 files changed, 142 insertions(+)
 create mode 100644 config/http_response_headers.response_header.access_control_allow_origin.yml
 create mode 100644 config/http_response_headers.response_header.content_security_policy.yml
 create mode 100644 config/http_response_headers.response_header.default_caching.yml
 create mode 100644 config/http_response_headers.response_header.public_key_pins.yml
 create mode 100644 config/http_response_headers.response_header.referrer_policy.yml
 create mode 100644 config/http_response_headers.response_header.strict_transport_security.yml
 create mode 100644 config/http_response_headers.response_header.x_content_type_options.yml
 create mode 100644 config/http_response_headers.response_header.x_frame_options.yml
 create mode 100644 config/http_response_headers.response_header.x_generator.yml
 create mode 100644 config/http_response_headers.response_header.x_powered_by.yml
 create mode 100644 config/http_response_headers.response_header.x_xss_protection.yml

diff --git a/config/core.extension.yml b/config/core.extension.yml
index ed31989..f330406 100644
--- a/config/core.extension.yml
+++ b/config/core.extension.yml
@@ -62,6 +62,7 @@ module:
   gin_toolbar: 0
   help: 0
   history: 0
+  http_response_headers: 0
   image: 0
   image_widget_crop: 0
   jquery_ui: 0
diff --git a/config/http_response_headers.response_header.access_control_allow_origin.yml b/config/http_response_headers.response_header.access_control_allow_origin.yml
new file mode 100644
index 0000000..85b9d19
--- /dev/null
+++ b/config/http_response_headers.response_header.access_control_allow_origin.yml
@@ -0,0 +1,12 @@
+uuid: fa327e7c-3cab-4ea8-ba4b-d2c34a05a23e
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: jiYdwY3CosYS2LwI7rEJboBZ4h4lh4NaUGc31nkShPI
+id: access_control_allow_origin
+label: Access-Control-Allow-Origin
+description: 'Access-Control-Allow-Origin is apart of the Cross Origin Resource Sharing (CORS) specification. This header is used to determine which sites are allowed to access the resource by defining either a single origin or all sites (denoted by a wildcard value).'
+name: Access-Control-Allow-Origin
+value: '*'
+visibility: {  }
diff --git a/config/http_response_headers.response_header.content_security_policy.yml b/config/http_response_headers.response_header.content_security_policy.yml
new file mode 100644
index 0000000..6d6a0af
--- /dev/null
+++ b/config/http_response_headers.response_header.content_security_policy.yml
@@ -0,0 +1,12 @@
+uuid: e1cccab9-59b6-4586-ad7f-dc1b05975d44
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: vm-IJzaf6_rD43UbNf5XszM3uyG3n30GUMK7FQVQSqw
+id: content_security_policy
+label: Content-Security-Policy
+description: 'This HTTP header parameter allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site you will have extra level of protection from XSS attacks.'
+name: Content-Security-Policy
+value: ''
+visibility: {  }
diff --git a/config/http_response_headers.response_header.default_caching.yml b/config/http_response_headers.response_header.default_caching.yml
new file mode 100644
index 0000000..28bcd50
--- /dev/null
+++ b/config/http_response_headers.response_header.default_caching.yml
@@ -0,0 +1,21 @@
+uuid: 79489f95-2a0c-4ff6-b500-2724ee3f6f7a
+langcode: en
+status: true
+dependencies: {  }
+id: default_caching
+label: 'Default caching'
+description: "Setting cache-control to public for content accessible to anonymous visitors.\r\n"
+name: cache-control
+value: 'public, max-age=600'
+visibility:
+  condition_group:
+    id: condition_group
+    negate: false
+    block_visibility_group: ''
+  user_role:
+    id: user_role
+    negate: false
+    context_mapping:
+      user: '@user.current_user_context:current_user'
+    roles:
+      anonymous: anonymous
diff --git a/config/http_response_headers.response_header.public_key_pins.yml b/config/http_response_headers.response_header.public_key_pins.yml
new file mode 100644
index 0000000..fa72fe6
--- /dev/null
+++ b/config/http_response_headers.response_header.public_key_pins.yml
@@ -0,0 +1,12 @@
+uuid: 5eb46a95-44ae-4d6e-a696-b08fd3416dd0
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: QnihCO4_FUzmixcXqUFF2z8WsUZt-Llst3ovAoeXZ0E
+id: public_key_pins
+label: Public-Key-Pins
+description: 'HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates.'
+name: Public-Key-Pins
+value: ''
+visibility: {  }
diff --git a/config/http_response_headers.response_header.referrer_policy.yml b/config/http_response_headers.response_header.referrer_policy.yml
new file mode 100644
index 0000000..942f518
--- /dev/null
+++ b/config/http_response_headers.response_header.referrer_policy.yml
@@ -0,0 +1,12 @@
+uuid: c7a87497-2a63-4bc9-9020-5ce2cd123165
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: JSZo_FSu2YFf7fXKgHhgJGvzRNHDcmakAcXGR4jCf-s
+id: referrer_policy
+label: Referrer-Policy
+description: 'Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.'
+name: Referrer-Policy
+value: strict-origin-when-cross-origin
+visibility: {  }
diff --git a/config/http_response_headers.response_header.strict_transport_security.yml b/config/http_response_headers.response_header.strict_transport_security.yml
new file mode 100644
index 0000000..4bd1efc
--- /dev/null
+++ b/config/http_response_headers.response_header.strict_transport_security.yml
@@ -0,0 +1,12 @@
+uuid: 3605bea5-aa9f-472e-b1f0-70dc7227b22f
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: EzF-BPkjidXdWfV5ZguA1GZG1XlRg3gh8_E7Oi9MdtM
+id: strict_transport_security
+label: Strict-Transport-Security
+description: 'This policy will enforce TLS on your site and all subdomains for a year.'
+name: Strict-Transport-Security
+value: 'max-age=31536000; includeSubDomains'
+visibility: {  }
diff --git a/config/http_response_headers.response_header.x_content_type_options.yml b/config/http_response_headers.response_header.x_content_type_options.yml
new file mode 100644
index 0000000..c48e668
--- /dev/null
+++ b/config/http_response_headers.response_header.x_content_type_options.yml
@@ -0,0 +1,12 @@
+uuid: 7a4d4776-1986-473f-8dc2-e9774e27094a
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: qRI3wEmvqepaLI3hMH5U_tq_svkQ6s-7cgAmZKO-F4A
+id: x_content_type_options
+label: X-Content-Type-Options
+description: 'This header parameter prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.'
+name: X-Content-Type-Options
+value: nosniff
+visibility: {  }
diff --git a/config/http_response_headers.response_header.x_frame_options.yml b/config/http_response_headers.response_header.x_frame_options.yml
new file mode 100644
index 0000000..dcbcbab
--- /dev/null
+++ b/config/http_response_headers.response_header.x_frame_options.yml
@@ -0,0 +1,12 @@
+uuid: af80c7d0-6dbf-4338-b7e1-95e95f49bba5
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: aCpW04rpcXDf65J6xXwCkplv2TKA64ANULWPnidTXwE
+id: x_frame_options
+label: X-Frame-Options
+description: "Clickjacking protection. Valid values include <em>DENY</em> meaning your site can't be framed, <em>SAMEORIGIN</em> which allows you to frame your own site or <em>ALLOW-FROM https://example.com/</em> which lets you specify sites that are permitted to frame"
+name: X-Frame-Options
+value: SAMEORIGIN
+visibility: {  }
diff --git a/config/http_response_headers.response_header.x_generator.yml b/config/http_response_headers.response_header.x_generator.yml
new file mode 100644
index 0000000..b3cad75
--- /dev/null
+++ b/config/http_response_headers.response_header.x_generator.yml
@@ -0,0 +1,12 @@
+uuid: 5883aa74-8604-4b8b-a88a-378ab708f1c0
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: rVXSHnFplX0srS0yj58pNNp_cHSe07Q-YnpBHUX4xUY
+id: x_generator
+label: X-Generator
+description: 'Allows the declaration of the CMS type and version to be modified.'
+name: X-Generator
+value: ''
+visibility: {  }
diff --git a/config/http_response_headers.response_header.x_powered_by.yml b/config/http_response_headers.response_header.x_powered_by.yml
new file mode 100644
index 0000000..4c934e5
--- /dev/null
+++ b/config/http_response_headers.response_header.x_powered_by.yml
@@ -0,0 +1,12 @@
+uuid: e5a4547c-2fc5-4ebc-8111-0b85bcb655e4
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: qN2wWwIBQbvvZJ3v_gPS6_atvVWy-iU55c5Tdj_MqFQ
+id: x_powered_by
+label: X-Powered-By
+description: "The X-Powered-By header gives information on the technology that's supporting the Web Server. It is best not to provide this information."
+name: X-Powered-By
+value: ''
+visibility: {  }
diff --git a/config/http_response_headers.response_header.x_xss_protection.yml b/config/http_response_headers.response_header.x_xss_protection.yml
new file mode 100644
index 0000000..379ec64
--- /dev/null
+++ b/config/http_response_headers.response_header.x_xss_protection.yml
@@ -0,0 +1,12 @@
+uuid: 26090083-85fd-483e-b029-83582abecdfb
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: xjdq0o6GzQSm6T11WcRHJ3A_DGGSEYiLrmqhLM8hpWQ
+id: x_xss_protection
+label: X-Xss-Protection
+description: "This response header can be used to configure a user-agent's built in reflective XSS protection. Currently, only Microsoft's Internet Explorer, Google Chrome and Safari (WebKit) support this header."
+name: X-Xss-Protection
+value: '1; mode=block'
+visibility: {  }