From cc2bfd12343dda39cc7067141b5415761807f98a Mon Sep 17 00:00:00 2001 From: Simon C Date: Wed, 11 Mar 2020 17:36:07 +0100 Subject: [PATCH] feat: Add security header https://securityheaders.com/ --- nginx-default.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/nginx-default.conf b/nginx-default.conf index 793960b..77c6d64 100644 --- a/nginx-default.conf +++ b/nginx-default.conf @@ -28,6 +28,19 @@ server { # https://www.justegeek.fr/proteger-un-peu-plus-son-site-avec-la-balise-x-content-type-options/ add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + # https://scotthelme.co.uk/content-security-policy-an-introduction/ + add_header Content-Security-Policy "script-src 'self'"; + + # https://scotthelme.co.uk/a-new-security-header-feature-policy/ + #add_header Feature-Policy "vibrate none"; + + # https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + #Caching (save html pages for 7 days, rest as long as possible, no caching on frontpage) expires $expires;