Add some more security settings for all sites

This commit is contained in:
Julius 2022-06-29 14:27:04 +02:00
parent cd74519852
commit f46129163c
Signed by: j00lz
GPG key ID: AF241B0AA237BBA2

View file

@ -42,6 +42,33 @@ in {
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log custom; access_log /var/log/nginx/access.log custom;
# Below has been borrowed from
# https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# No CSP yet, this will break like 5 sites I'm sure.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
''; '';
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;