Securing Lighttpd

This is a set of configuration settings you might want to use to secure your Lighttpd webserver configuration.

# disable version number display
server.tag = "lighttpd"
# disable IP logging
accesslog.format = " %V %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
server.modules += ("mod_setenv")
setenv.add-response-header = (
# require ssl for all subdomains
"Strict-Transport-Security" => "max-age=31556926;includeSubDomains",
# don't allow external content at all (new in FF4)
"X-Content-Security-Policy" => "allow 'self'"

Leave a Reply

Your email address will not be published. Required fields are marked *