aboutsummaryrefslogtreecommitdiffstats
path: root/roles/web/files/conf.d/security_headers.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/web/files/conf.d/security_headers.conf')
-rw-r--r--roles/web/files/conf.d/security_headers.conf79
1 files changed, 79 insertions, 0 deletions
diff --git a/roles/web/files/conf.d/security_headers.conf b/roles/web/files/conf.d/security_headers.conf
new file mode 100644
index 0000000..f4a7135
--- /dev/null
+++ b/roles/web/files/conf.d/security_headers.conf
@@ -0,0 +1,79 @@
+#
+# /usr/local/etc/nginx/security_headers
+#
+# Security headers for Nginx/HTTP(s)
+#
+# Aaron LI
+# 2017-11-22
+#
+# Credits
+# -------
+# * Hardening your HTTP response headers
+# https://scotthelme.co.uk/hardening-your-http-response-headers/
+# * Nginx add_header configuration pitfall
+# https://blog.g3rt.nl/nginx-add_header-pitfall.html
+# * Nginx - ngx_http_headers_module - add_header
+# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+#
+# Tools
+# -----
+# * Security Headers Analyzer
+# https://securityheaders.io/
+#
+# 2017-11-23: Be less paranoid, due to the reverse proxy services ...
+#
+
+#
+# NOTE: Use "always" for security headers.
+#
+# WARNING: The "add_header" directive (and some others) are inherited
+# from the *previous* level *IF AND ONLY IF* there are NO
+# "add_header" directives defined on the *current* level.
+# Such behavior leads to the *pitfall* that the added headers
+# may get *cleared*! In consequence, this common header
+# configuration file *must* be included within every context
+# that has "add_header" directives!
+#
+
+# Instruct the client to force a HTTPS connection to the domain and all
+# its subdomains for 2 year.
+# See also: https://hstspreload.org/
+#add_header Strict-Transport-Security
+# "max-age=63072000; includeSubdomains; preload" always;
+add_header Strict-Transport-Security
+ "max-age=31536000; includeSubdomains" always;
+
+# The Content Security Policy (CSP) header allows to define a whitelist
+# of approved sources of content for the site. By restricting the assets
+# that a browser can load, CSP can act as an effective countermeasure to
+# XSS attacks.
+#
+# Enforce TLS on all assets and prevent mixed content warnings.
+add_header Content-Security-Policy
+ "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
+# Only allow to load assets from self!
+#add_header Content-Security-Policy "default-src 'self'" always;
+
+# The X-Frame-Options (XFO) header protects the visitors against
+# clickjacking attacks.
+# Only allow yourselves to frame your own site.
+add_header X-Frame-Options "SAMEORIGIN" always;
+# Do not allow the site to be framed at all!
+#add_header X-Frame-Options "DENY" always;
+
+# Enable the cross-site scripting filter built into most browsers, and
+# tell the browser to block the response if it detects an attack rather
+# than sanitizing the script.
+add_header X-XSS-Protection "1; mode=block" always;
+
+# Prevent a browser from trying to MIME-sniff the content type and forces
+# it to stick with the declared content-type.
+add_header X-Content-Type-Options "nosniff" always;
+
+# Allow a site to control how much information the browser includes with
+# navigations away from a document.
+#
+# The browser will send the full URL to requests to the same origin, but
+# only send the origin when requests are cross-origin. No information
+# allowed to be sent when a scheme downgrade happens.
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;