From f46129163c7be5755c1eedbf79069bf1aef65d7e Mon Sep 17 00:00:00 2001
From: Julius de Jeu <julius@voidcorp.nl>
Date: Wed, 29 Jun 2022 14:27:04 +0200
Subject: [PATCH] Add some more security settings for all sites

---
 nixos/machines/nginx/default.nix | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix
index 58e6025..11e06c7 100644
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@@ -42,6 +42,33 @@ in {
                           '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 
       access_log /var/log/nginx/access.log custom;
+
+      # Below has been borrowed from 
+      # https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
+
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # No CSP yet, this will break like 5 sites I'm sure.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
     '';
     recommendedOptimisation = true;
     recommendedProxySettings = true;