1 files changed, 0 insertions, 79 deletions
diff --git a/roles/web/files/conf.d/security_headers.conf b/roles/web/files/conf.d/security_headers.conf
deleted file mode 100644
index f4a7135..0000000
--- a/roles/web/files/conf.d/security_headers.conf
+++ /dev/null
@@ -1,79 +0,0 @@
-#
-# /usr/local/etc/nginx/security_headers
-#
-# Security headers for Nginx/HTTP(s)
-#
-# Aaron LI
-# 2017-11-22
-#
-# Credits
-# -------
-# * Hardening your HTTP response headers
-#   https://scotthelme.co.uk/hardening-your-http-response-headers/
-# * Nginx add_header configuration pitfall
-#   https://blog.g3rt.nl/nginx-add_header-pitfall.html
-# * Nginx - ngx_http_headers_module - add_header
-#   https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
-#
-# Tools
-# -----
-# * Security Headers Analyzer
-#   https://securityheaders.io/
-#
-# 2017-11-23: Be less paranoid, due to the reverse proxy services ...
-#
-
-#
-# NOTE: Use "always" for security headers.
-#
-# WARNING: The "add_header" directive (and some others) are inherited
-#          from the *previous* level *IF AND ONLY IF* there are NO
-#          "add_header" directives defined on the *current* level.
-#          Such behavior leads to the *pitfall* that the added headers
-#          may get *cleared*!  In consequence, this common header
-#          configuration file *must* be included within every context
-#          that has "add_header" directives!
-#
-
-# Instruct the client to force a HTTPS connection to the domain and all
-# its subdomains for 2 year.
-# See also: https://hstspreload.org/
-#add_header  Strict-Transport-Security
-#            "max-age=63072000; includeSubdomains; preload"  always;
-add_header  Strict-Transport-Security
-            "max-age=31536000; includeSubdomains"  always;
-
-# The Content Security Policy (CSP) header allows to define a whitelist
-# of approved sources of content for the site.  By restricting the assets
-# that a browser can load, CSP can act as an effective countermeasure to
-# XSS attacks.
-#
-# Enforce TLS on all assets and prevent mixed content warnings.
-add_header  Content-Security-Policy
-            "default-src https: data: 'unsafe-inline' 'unsafe-eval'"  always;
-# Only allow to load assets from self!
-#add_header  Content-Security-Policy  "default-src 'self'"  always;
-
-# The X-Frame-Options (XFO) header protects the visitors against
-# clickjacking attacks.
-# Only allow yourselves to frame your own site.
-add_header  X-Frame-Options  "SAMEORIGIN"  always;
-# Do not allow the site to be framed at all!
-#add_header  X-Frame-Options  "DENY"  always;
-
-# Enable the cross-site scripting filter built into most browsers, and
-# tell the browser to block the response if it detects an attack rather
-# than sanitizing the script.
-add_header  X-XSS-Protection  "1; mode=block"  always;
-
-# Prevent a browser from trying to MIME-sniff the content type and forces
-# it to stick with the declared content-type.
-add_header  X-Content-Type-Options  "nosniff"  always;
-
-# Allow a site to control how much information the browser includes with
-# navigations away from a document.
-#
-# The browser will send the full URL to requests to the same origin, but
-# only send the origin when requests are cross-origin.  No information
-# allowed to be sent when a scheme downgrade happens.
-add_header  Referrer-Policy  "strict-origin-when-cross-origin"  always;