source.conf

ServerName {{ securedrop_app_apache_listening_address }}
<VirtualHost {{ securedrop_app_apache_listening_address }}:80>
{% if securedrop_app_https_on_source_interface %}
# Optional HTTPS settings for Source Interface. Requires opt-in
# via 'securedrop-admin sdconfig', as well as an active certificate.
# If enabled, all HTTP connections will be redirected to HTTPS.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost 127.0.0.1:443>
# HTTPS config
SSLEngine on
SSLCertificateFile /var/lib/ssl/{{ securedrop_app_https_certificate_cert_src|basename }}
SSLCertificateKeyFile /var/lib/ssl/{{ securedrop_app_https_certificate_key_src|basename }}
SSLCertificateChainFile /var/lib/ssl/{{ securedrop_app_https_certificate_chain_src|basename }}

# Evaluate support for TLSv1.3 in Tor Browser for Onions, conservatively
# we'll continue to support TLSv1.2 for now.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite {{ securedrop_app_https_ssl_ciphers|join(':') }}
SSLHonorCipherOrder on
SSLCompression off
{% endif %}

# WSGI settings for Flask app for Source Interface
WSGIDaemonProcess source  processes=2 threads=30 display-name=%{GROUP} python-path=/var/www/securedrop
WSGIProcessGroup source
WSGIScriptAlias / /var/www/source.wsgi

# Tell the browser not to cache HTML responses in order to minimize the chance
# of the inadvertent release or retention of sensitive data. For more, see
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2.
Header set Cache-Control "no-store"

XSendFile        Off

# Prevent cookies from being accessed from Javascript. XSS mitigation.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly

# Don't allow SecureDrop to be framed. Clickjacking mitigation.
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "DENY"
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "same-origin"
Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"

# Set a strict CSP; "default-src 'self'" prevents 3rd party subresources from
# loading and prevents inline script from executing.
Header onsuccess unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
Header onsuccess unset X-Download-Options
Header always set X-Download-Options "noopen"
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

Header unset Etag

# Limit the max submitted size of requests to help prevent DoS.
LimitRequestBody 524288000

# Set default to deny all access from all filepaths.
<Directory />
  Options None
  AllowOverride None
  Require all denied
</Directory>

# Permit limited access specifically to the SecureDrop wsgi files.
<Directory /var/www/>
  Options None
  AllowOverride None
  <Limit GET POST HEAD>
    Require ip {{ securedrop_app_apache_allow_from }}
  </Limit>
  <LimitExcept GET POST HEAD>
    Require all denied
  </LimitExcept>
</Directory>

# Permit limited access specifically to the SecureDrop application directory.
<Directory /var/www/securedrop>
  Options None
  AllowOverride None
  <Limit GET POST HEAD>
    Require ip {{ securedrop_app_apache_allow_from }}
  </Limit>
  <LimitExcept GET POST HEAD>
    Require all denied
  </LimitExcept>
</Directory>

# Allow dropping txt files here for onion server validation
Alias /.well-known/pki-validation /var/www/securedrop/.well-known/pki-validation
<Directory /var/www/securedrop/.well-known/pki-validation>
  Require all granted
</Directory>

Alias /static /var/www/securedrop/static
<Directory /var/www/securedrop/static>
  Require all granted
  # Cache static resources for 1 hour
  Header set Cache-Control "max-age=3600"
</Directory>

# Deny all non-HTTP traffic, as a precaution
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* - [F]

ErrorLog {{ source_apache_log_location | default('/dev/null') }}
LogLevel {{ apache_logging_level | default('crit') }}

</VirtualHost>