SLING-10588 - updating docs and removing unneeded import
diff --git a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
index 8aab1d0..cf77932 100644
--- a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
+++ b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
@@ -43,7 +43,6 @@
import org.apache.sling.cms.PublishableResource;
import org.apache.sling.cms.publication.PUBLICATION_MODE;
import org.apache.sling.cms.publication.PublicationManagerFactory;
-import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
diff --git a/docs/securing.md b/docs/securing.md
index a175521..1d482cf 100644
--- a/docs/securing.md
+++ b/docs/securing.md
@@ -20,20 +20,26 @@
- Configure the Host Domain, Allowed Patterns and, optionally, the Group required to access the CMS
2. Configure the Referrer Filter - this filters which referrers are allowed send modification requests to the CMS instance. To configure the Referrer Filter:
- - Open the OSGi console at [http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter)
- - Configure the _Allow Hosts_ or _Allow Regexp Hosts_ to the host names allowed
+ - Open the OSGi console at [http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter)
+ - Configure the _Allow Hosts_ or _Allow Regexp Hosts_ to the host names allowed
- 2. Configure Apache for Security - Add configurations to make Apache HTTPD secure:
+ 2. Configure Apache for Security - Add configurations like the ones below to make Apache HTTPD secure:
# Security Protection
+ Header set Content-Security-Policy default-src https: data: 'unsafe-inline'; frame-ancestors https:
+ Header set Feature-Policy * 'none'
+ Header set Referrer-Policy strict-origin
+ Header set Strict-Transport-Security max-age=15552000; includeSubDomains; preload
+ Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
- Header set X-Content-Type-Options "nosniff"
# Harden Apache
ServerSignature Off
ServerTokens Prod
TraceEnable off
+
+ Note, you should expect to tweak these based on your environment. The website [securityheaders.com](https://securityheaders.com/) is a good resource for learning about the best practices in security header configurations.
3. Ensure sites only allow specific paths - in [Configure Site](configure-site.md), you need to configure the individual site's Virtual Host in Apache. Ensure that only the required paths are proxied. This should never include paths under /etc, /system, /bin, /home or /var
