Add some more security settings for all sites

2022-06-29 14:27:04 +02:00 · 2022-06-29 14:27:04 +02:00 · f46129163c
parent cd74519852
commit f46129163c
1 changed files with 27 additions and 0 deletions
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@ -42,6 +42,33 @@ in {
                          '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

      access_log /var/log/nginx/access.log custom;
+
+      # Below has been borrowed from 
+      # https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
+
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # No CSP yet, this will break like 5 sites I'm sure.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
    '';
    recommendedOptimisation = true;
    recommendedProxySettings = true;