'nginx/nginx/conf_split/headers.conf' toevoegen
This commit is contained in:
parent
8abd09d3dc
commit
35a481c4f3
1 changed files with 52 additions and 0 deletions
52
nginx/nginx/conf_split/headers.conf
Normal file
52
nginx/nginx/conf_split/headers.conf
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
add_header X-Download-Options "noopen" always;
|
||||||
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||||
|
add_header X-Robots-Tag "none" always;
|
||||||
|
|
||||||
|
|
||||||
|
# -----------------------------------------------------
|
||||||
|
# SECURITY HEADERS - https://securityheaders.io/
|
||||||
|
# -----------------------------------------------------
|
||||||
|
# Protects against Clickjacking attacks.
|
||||||
|
# ref.: http://stackoverflow.com/a/22105445/1233379
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
|
|
||||||
|
# Protects against Clickjacking attacks.
|
||||||
|
# ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||||
|
|
||||||
|
# Protects against XSS injections.
|
||||||
|
# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
|
||||||
|
add_header X-Xss-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
# Protects against MIME-type confusion attack.
|
||||||
|
# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
|
||||||
|
# CSP modern XSS directive-based defence, used since 2014.
|
||||||
|
# ref.: http://content-security-policy.com/
|
||||||
|
#add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;";
|
||||||
|
# Here’s an example accepting basically everything:
|
||||||
|
# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
|
||||||
|
# zonder 'unsafe-eval' (JavaScript)
|
||||||
|
# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline';";
|
||||||
|
|
||||||
|
# Prevents from leaking referrer data over insecure connections.
|
||||||
|
# ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
|
||||||
|
#add_header Referrer-Policy 'strict-origin';
|
||||||
|
add_header Referrer-Policy "same-origin";
|
||||||
|
|
||||||
|
#Deny the use of browser features (Feature-Policy)
|
||||||
|
add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'; usb 'none';";
|
||||||
|
|
||||||
|
# Remove X-Powered-By, which is an information leak
|
||||||
|
fastcgi_hide_header X-Powered-By;
|
||||||
|
|
||||||
|
# . files
|
||||||
|
# location ~ /\.(?!well-known) {
|
||||||
|
# deny all;
|
||||||
|
# }
|
||||||
|
|
||||||
|
#Set-Cookie
|
||||||
|
# https://scotthelme.co.uk/tough-cookies/
|
||||||
|
#Set-Cookie: sess=123; path=/; SameSite=Lax
|
||||||
|
#Set-Cookie: sess=123; path=/; Secure
|
Loading…
Reference in a new issue