qenya/nixfiles
1
0
Fork 0
Code Issues 5 Pull requests Actions Activity

nginx: improve hardening, tweak headers

Browse source 
Still not quite where I want it to be but it's better
This commit is contained in:
Katherina Walshe-Grey 2024-09-24 05:31:17 +01:00
parent 26900a5973
commit 3195af88ef
1 changed files with 4 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
common/nginx.nix
View file

@ -7,17 +7,13 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = '' appendHttpConfig = ''
map $scheme $hsts_header { add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
https "max-age=31536000; includeSubdomains; preload"; add_header Content-Security-Policy "default-src https: data: 'unsafe-inline'; object-src 'none'; base-uri 'none';" always;
} add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
''; '';
}; };