Web-Security-Headers.sh 3.5KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. #!/bin/bash
  2. if [ "$#" == "0" ]; then
  3. echo "# [HINWEIS] Als Parameter können Dateien von Zertifikaten angehängt werden, welche dann in einen Public-Key-Pins-Header umgewandelt werden." >&2;
  4. fi
  5. PublicKeyPinsH="";
  6. PublicKeyPinsK="";
  7. while (( "$#" )); do
  8. S=$(openssl x509 -in $1 -subject -noout 2>/dev/null);
  9. if [ $? -eq 0 ]; then
  10. echo "# [INFO] Füge den Pubkey des folgenden Zertifikats hinzu: $S" >&2;
  11. K=$(openssl x509 -in $1 -pubkey -noout | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -binary | openssl enc -base64);
  12. PublicKeyPinsK="$PublicKeyPinsK; pin-sha256=\\\"$K\\\"";
  13. else
  14. echo "# [FEHLER] Die Datei \"$1\" ist kein gültiges Zertifikat." >&2;
  15. fi
  16. shift
  17. done
  18. while true; do
  19. echo "# [FRAGE] Für welche Plattform sollen die Header ausgegeben werden?" >&2;
  20. echo "# 1) Apache2" >&2;
  21. echo "# 2) nginx" >&2;
  22. echo "# 3) PHP" >&2;
  23. echo "# 0) Beenden" >&2;
  24. read -n 1 -p "# Ihre Auswahl: " PLATTFORM; echo "" >&2;
  25. case "$PLATTFORM" in
  26. 1|a|A)
  27. [ "$PublicKeyPinsK" != "" ] && PublicKeyPinsH="\"\n Header always set Public-Key-Pins \"max-age=2592000; includeSubDomains";
  28. echo -e "#\n# Apache2-Security-Header:" >&2;
  29. echo " Header unset X-Powered-By";
  30. echo " Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\"";
  31. echo " Header always set Content-Security-Policy \"default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval'; form-action https: 'self'; referrer origin;\"";
  32. echo " Header always set X-Content-Type-Options nosniff";
  33. echo " Header always set X-Frame-Options sameorigin";
  34. echo -n " Header always set X-XSS-Protection \"1; mode=block";
  35. echo -e "${PublicKeyPinsH}${PublicKeyPinsK}\"";
  36. break;
  37. ;;
  38. 2|n|N)
  39. [ "$PublicKeyPinsK" != "" ] && PublicKeyPinsH="\";\n add_header Public-Key-Pins \"max-age=2592000; includeSubDomains";
  40. echo -e "#\n# nginx-Security-Header:" >&2;
  41. echo " add_header X-Powered-By \"Pizza and Caffein\";";
  42. echo " add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\";";
  43. echo " add_header Content-Security-Policy \"default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval'; form-action https: 'self'; referrer origin;\";";
  44. echo " add_header X-Content-Type-Options nosniff;";
  45. echo " add_header X-Frame-Options sameorigin;";
  46. echo -n " add_header X-XSS-Protection \"1; mode=block";
  47. echo -e "${PublicKeyPinsH}${PublicKeyPinsK}\";";
  48. break;
  49. ;;
  50. 3|p|P)
  51. [ "$PublicKeyPinsK" != "" ] && PublicKeyPinsH="\", true);\n header(\"Public-Key-Pins: max-age=2592000; includeSubDomains";
  52. echo -e "#\n# PHP-Security-Header:" >&2;
  53. echo " header_remove(\"X-Powered-By\");";
  54. echo " header(\"Strict-Transport-Security: max-age=63072000; includeSubdomains; preload\", true);";
  55. echo " header(\"Content-Security-Policy: default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval'; form-action https: 'self'; referrer origin;\", true);";
  56. echo " header(\"X-Content-Type-Options: nosniff\", true);";
  57. echo " header(\"X-Frame-Options: sameorigin\", true);";
  58. echo -n " header(\"X-XSS-Protection: 1; mode=block";
  59. echo -e "${PublicKeyPinsH}${PublicKeyPinsK}\", true);";
  60. break;
  61. ;;
  62. 0|b|B|q|Q|x|X|e|E)
  63. echo "# [EXIT] Auf Wiedersehen" >&2;
  64. exit 0;
  65. ;;
  66. *)
  67. echo "# [FEHLER] Ungültige Eingabe";
  68. ;;
  69. esac
  70. done
  71. exit 0;