From 35a481c4f32bce6c4c5af99b5a1430f0c33a76c8 Mon Sep 17 00:00:00 2001 From: Mathijs Lermer Date: Wed, 28 Oct 2020 13:39:20 +0100 Subject: [PATCH] 'nginx/nginx/conf_split/headers.conf' toevoegen --- nginx/nginx/conf_split/headers.conf | 52 +++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 nginx/nginx/conf_split/headers.conf diff --git a/nginx/nginx/conf_split/headers.conf b/nginx/nginx/conf_split/headers.conf new file mode 100644 index 0000000..7f09ace --- /dev/null +++ b/nginx/nginx/conf_split/headers.conf @@ -0,0 +1,52 @@ +add_header X-Download-Options "noopen" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "none" always; + + +# ----------------------------------------------------- +# SECURITY HEADERS - https://securityheaders.io/ +# ----------------------------------------------------- +# Protects against Clickjacking attacks. +# ref.: http://stackoverflow.com/a/22105445/1233379 +add_header X-Frame-Options "SAMEORIGIN" always; + +# Protects against Clickjacking attacks. +# ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# Protects against XSS injections. +# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ +add_header X-Xss-Protection "1; mode=block" always; + +# Protects against MIME-type confusion attack. +# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ +add_header X-Content-Type-Options "nosniff" always; + +# CSP modern XSS directive-based defence, used since 2014. +# ref.: http://content-security-policy.com/ +#add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"; +# Here’s an example accepting basically everything: +# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';"; +# zonder 'unsafe-eval' (JavaScript) +# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline';"; + +# Prevents from leaking referrer data over insecure connections. +# ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ +#add_header Referrer-Policy 'strict-origin'; +add_header Referrer-Policy "same-origin"; + +#Deny the use of browser features (Feature-Policy) +add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'; usb 'none';"; + +# Remove X-Powered-By, which is an information leak +fastcgi_hide_header X-Powered-By; + +# . files +# location ~ /\.(?!well-known) { +# deny all; +# } + +#Set-Cookie +# https://scotthelme.co.uk/tough-cookies/ +#Set-Cookie: sess=123; path=/; SameSite=Lax +#Set-Cookie: sess=123; path=/; Secure \ No newline at end of file