aboutsummaryrefslogtreecommitdiffstats
path: root/roles/web/files/nginx/conf.d/security_headers.conf
blob: f4a713589b8b8c846ba1c8efe4caa1051dc95229 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#
# /usr/local/etc/nginx/security_headers
#
# Security headers for Nginx/HTTP(s)
#
# Aaron LI
# 2017-11-22
#
# Credits
# -------
# * Hardening your HTTP response headers
#   https://scotthelme.co.uk/hardening-your-http-response-headers/
# * Nginx add_header configuration pitfall
#   https://blog.g3rt.nl/nginx-add_header-pitfall.html
# * Nginx - ngx_http_headers_module - add_header
#   https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
#
# Tools
# -----
# * Security Headers Analyzer
#   https://securityheaders.io/
#
# 2017-11-23: Be less paranoid, due to the reverse proxy services ...
#

#
# NOTE: Use "always" for security headers.
#
# WARNING: The "add_header" directive (and some others) are inherited
#          from the *previous* level *IF AND ONLY IF* there are NO
#          "add_header" directives defined on the *current* level.
#          Such behavior leads to the *pitfall* that the added headers
#          may get *cleared*!  In consequence, this common header
#          configuration file *must* be included within every context
#          that has "add_header" directives!
#

# Instruct the client to force a HTTPS connection to the domain and all
# its subdomains for 2 year.
# See also: https://hstspreload.org/
#add_header  Strict-Transport-Security
#            "max-age=63072000; includeSubdomains; preload"  always;
add_header  Strict-Transport-Security
            "max-age=31536000; includeSubdomains"  always;

# The Content Security Policy (CSP) header allows to define a whitelist
# of approved sources of content for the site.  By restricting the assets
# that a browser can load, CSP can act as an effective countermeasure to
# XSS attacks.
#
# Enforce TLS on all assets and prevent mixed content warnings.
add_header  Content-Security-Policy
            "default-src https: data: 'unsafe-inline' 'unsafe-eval'"  always;
# Only allow to load assets from self!
#add_header  Content-Security-Policy  "default-src 'self'"  always;

# The X-Frame-Options (XFO) header protects the visitors against
# clickjacking attacks.
# Only allow yourselves to frame your own site.
add_header  X-Frame-Options  "SAMEORIGIN"  always;
# Do not allow the site to be framed at all!
#add_header  X-Frame-Options  "DENY"  always;

# Enable the cross-site scripting filter built into most browsers, and
# tell the browser to block the response if it detects an attack rather
# than sanitizing the script.
add_header  X-XSS-Protection  "1; mode=block"  always;

# Prevent a browser from trying to MIME-sniff the content type and forces
# it to stick with the declared content-type.
add_header  X-Content-Type-Options  "nosniff"  always;

# Allow a site to control how much information the browser includes with
# navigations away from a document.
#
# The browser will send the full URL to requests to the same origin, but
# only send the origin when requests are cross-origin.  No information
# allowed to be sent when a scheme downgrade happens.
add_header  Referrer-Policy  "strict-origin-when-cross-origin"  always;