Refactor and improve security headers, file blocks, etc

[marns93]

Important

This PR was co-authored by @jaydrogers and had it's original comment modified to provide the latest summary. View the original post by @marns93 below if you'd like to see the content of the original submission

Testing this PR

You can test this PR by using any tag with this prefix:

docker.io/serversideup/php-dev:631-*

View related images →

Summary

This PR standardizes and improves security configurations across nginx, Apache, and FrankenPHP/Caddy variations to ensure consistent behavior and proper documentation with references to authoritative sources.

Authoritative Sources Referenced

All configurations now cite their sources for transparency and credibility:

Source	URL
H5BP Server Configs (nginx)	https://github.com/h5bp/server-configs-nginx
H5BP Server Configs (Apache)	https://github.com/h5bp/server-configs-apache
OWASP Secure Headers Project	https://owasp.org/www-project-secure-headers/
RFC 8615 - Well-Known URIs	https://www.rfc-editor.org/rfc/rfc8615

---

Security Headers (Consistent Across All Variations)

Header	Value	Purpose
X-Frame-Options	SAMEORIGIN	Prevent clickjacking attacks
X-Content-Type-Options	nosniff	Prevent MIME type sniffing
Referrer-Policy	strict-origin-when-cross-origin	Control referrer information
Strict-Transport-Security	max-age=31536000; includeSubDomains	Enforce HTTPS (HSTS)

---

Blocked File Extensions

Based on H5BP server configs with a conservative approach to avoid breaking legitimate use cases:

Extension	Reason
.bak	Backup files
.conf	Configuration files (Linux/Unix)
.config	Configuration files (Windows/.NET)
.dist	Distribution/sample configs
.inc	PHP include files
.ini	Configuration files
.log	Log files
.sh	Shell scripts
.sql	Database dumps
.swp / .swo	Vim swap files
~	Editor backup files
#*#	Emacs auto-save files
*/.*	All dotfiles (hidden files)

✅ Explicitly Allowed

• /.well-known/* - Required by RFC 8615 for ACME challenges other standardized endpoints

❌ Intentionally NOT Blocked (too aggressive for general use)

• .zip, .tar, .tgz - Legitimate downloads
• .yml, .json - Could be API responses
• .psd, .fla - Low security risk

---

Key Changes from Previous Configuration

1. Standardized blocklist - All three variations now block the same file extensions
2. Added .well-known exception - Properly allows RFC 8615 endpoints (fixes FrankenPHP returns 403 for commonly used hidden folders like .well-known/ #626)
3. Added .conf blocking - More relevant for Linux/PHP environments than .config alone
4. Removed arbitrary extensions - .fla, .psd, .orig, .inci, .swop removed (not in official H5BP or too aggressive)
5. Consistent Referrer-Policy - Changed to strict-origin-when-cross-origin across all variations
6. Added source documentation - Every rule now cites its authoritative source

---

Testing Checklist

• Verify /.well-known/ paths are accessible (ACME, security.txt, etc.)
• Verify blocked extensions return 403
• Verify security headers are present in responses
• Test with legitimate .zip downloads (should work)

Original post by @marns93

Fixes: #626

The newest variation frankenphp is blocking everything under .well-known/. The following line is responsible for this

docker-php/src/variations/frankenphp/etc/frankenphp/Caddyfile

Line 131 in 9b6868e

@rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*

In this PR I've whitelisted some commonly used paths under .well-known/. For security reasons I don't want to allow everything, so I've whitelisted some of them. The list can be extended in the future.

[jaydrogers]

Thanks for the PR! I will review soon 👍

[wapacro]

Great PR, running into this issue right now. However, I'd add some more common endpoints for web apps, at least .well-known/passkey-endpoints and .well-known/webauthn (for proper Passkey support) if not all of them.

[marns93]

Great PR, running into this issue right now. However, I'd add some more common endpoints for web apps, at least .well-known/passkey-endpoints and .well-known/webauthn (for proper Passkey support) if not all of them.

@wapacro Thank you for your feedback. I've added your endpoints in this PR.
In general I do agree, but I would make the whitelist explicitly based on requests.

[marns93]

@jaydrogers Any estimation when this can be reviewed and merged on your side?

[Maarten-Dekker]

Could we also include support for .well-known/ucp? The UCP spec (https://ucp.dev) defines this as the standard discovery endpoint.

[jaydrogers]

@marns93 I appreciate your efforts on this.

I had a chance to take a look at your PR. Instead of blocking everything from .well-known and whitelisting it, I changed the rules to specifically allow anything in .well-known because it's and industry standard to allow any files in there.

I also standardized these rules across all 3 web server variations.

I am keeping an updated summary here: #631 (comment)