blob: f4a713589b8b8c846ba1c8efe4caa1051dc95229 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
#
# /usr/local/etc/nginx/security_headers
#
# Security headers for Nginx/HTTP(s)
#
# Aaron LI
# 2017-11-22
#
# Credits
# -------
# * Hardening your HTTP response headers
# https://scotthelme.co.uk/hardening-your-http-response-headers/
# * Nginx add_header configuration pitfall
# https://blog.g3rt.nl/nginx-add_header-pitfall.html
# * Nginx - ngx_http_headers_module - add_header
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
#
# Tools
# -----
# * Security Headers Analyzer
# https://securityheaders.io/
#
# 2017-11-23: Be less paranoid, due to the reverse proxy services ...
#
#
# NOTE: Use "always" for security headers.
#
# WARNING: The "add_header" directive (and some others) are inherited
# from the *previous* level *IF AND ONLY IF* there are NO
# "add_header" directives defined on the *current* level.
# Such behavior leads to the *pitfall* that the added headers
# may get *cleared*! In consequence, this common header
# configuration file *must* be included within every context
# that has "add_header" directives!
#
# Instruct the client to force a HTTPS connection to the domain and all
# its subdomains for 2 year.
# See also: https://hstspreload.org/
#add_header Strict-Transport-Security
# "max-age=63072000; includeSubdomains; preload" always;
add_header Strict-Transport-Security
"max-age=31536000; includeSubdomains" always;
# The Content Security Policy (CSP) header allows to define a whitelist
# of approved sources of content for the site. By restricting the assets
# that a browser can load, CSP can act as an effective countermeasure to
# XSS attacks.
#
# Enforce TLS on all assets and prevent mixed content warnings.
add_header Content-Security-Policy
"default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
# Only allow to load assets from self!
#add_header Content-Security-Policy "default-src 'self'" always;
# The X-Frame-Options (XFO) header protects the visitors against
# clickjacking attacks.
# Only allow yourselves to frame your own site.
add_header X-Frame-Options "SAMEORIGIN" always;
# Do not allow the site to be framed at all!
#add_header X-Frame-Options "DENY" always;
# Enable the cross-site scripting filter built into most browsers, and
# tell the browser to block the response if it detects an attack rather
# than sanitizing the script.
add_header X-XSS-Protection "1; mode=block" always;
# Prevent a browser from trying to MIME-sniff the content type and forces
# it to stick with the declared content-type.
add_header X-Content-Type-Options "nosniff" always;
# Allow a site to control how much information the browser includes with
# navigations away from a document.
#
# The browser will send the full URL to requests to the same origin, but
# only send the origin when requests are cross-origin. No information
# allowed to be sent when a scheme downgrade happens.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
