'nginx/nginx/conf_split/headers.conf' toevoegen

This commit is contained in:
Mathijs Lermer 2020-10-28 13:39:20 +01:00
parent 8abd09d3dc
commit 35a481c4f3

View file

@ -0,0 +1,52 @@
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
# -----------------------------------------------------
# SECURITY HEADERS - https://securityheaders.io/
# -----------------------------------------------------
# Protects against Clickjacking attacks.
# ref.: http://stackoverflow.com/a/22105445/1233379
add_header X-Frame-Options "SAMEORIGIN" always;
# Protects against Clickjacking attacks.
# ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Protects against XSS injections.
# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
add_header X-Xss-Protection "1; mode=block" always;
# Protects against MIME-type confusion attack.
# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
add_header X-Content-Type-Options "nosniff" always;
# CSP modern XSS directive-based defence, used since 2014.
# ref.: http://content-security-policy.com/
#add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;";
# Heres an example accepting basically everything:
# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
# zonder 'unsafe-eval' (JavaScript)
# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline';";
# Prevents from leaking referrer data over insecure connections.
# ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
#add_header Referrer-Policy 'strict-origin';
add_header Referrer-Policy "same-origin";
#Deny the use of browser features (Feature-Policy)
add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'; usb 'none';";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# . files
# location ~ /\.(?!well-known) {
# deny all;
# }
#Set-Cookie
# https://scotthelme.co.uk/tough-cookies/
#Set-Cookie: sess=123; path=/; SameSite=Lax
#Set-Cookie: sess=123; path=/; Secure