Commit 014f2945 authored by Mark van Lent's avatar Mark van Lent

Tell Nginx to always add security related headers

By default the add_header directive is only sent for some response codes.
By adding "always", the headers are also sent e.g. on 404 responses.

For more information see
https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
parent 35b6469c
......@@ -15,12 +15,12 @@ server {
error_log /var/log/nginx/error.log;
# Security
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' disqus.com/api/3.0/threads/set.jsonp a.disquscdn.com/embed.js vlent.disqus.com; style-src 'self' a.disquscdn.com; img-src 'self' referrer.disqus.com/juggler/stat.gif a.disquscdn.com/next/embed/assets/img/; frame-src disqus.com a.disquscdn.com; child-src disqus.com a.disquscdn.com; object-src 'none'; upgrade-insecure-requests; reflected-xss block; frame-ancestors 'none';";
add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' disqus.com/api/3.0/threads/set.jsonp a.disquscdn.com/embed.js vlent.disqus.com; style-src 'self' a.disquscdn.com; img-src 'self' referrer.disqus.com/juggler/stat.gif a.disquscdn.com/next/embed/assets/img/; frame-src disqus.com a.disquscdn.com; child-src disqus.com a.disquscdn.com; object-src 'none'; upgrade-insecure-requests; reflected-xss block; frame-ancestors 'none';" always;
add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" always;
server_tokens off;
# Location of the content
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment