Mathijs/mijn_server
Mathijs/mijn_server
1
1
Fork 0
Code Releases Wiki Activity
mijn_server/nginx/nginx/conf_split/headers.conf

52 lines
2.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
# -----------------------------------------------------
# SECURITY HEADERS - https://securityheaders.io/
# -----------------------------------------------------
# Protects against Clickjacking attacks.
# ref.: http://stackoverflow.com/a/22105445/1233379
add_header X-Frame-Options "SAMEORIGIN" always;
# Protects against Clickjacking attacks.
# ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Protects against XSS injections.
# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
add_header X-Xss-Protection "1; mode=block" always;
# Protects against MIME-type confusion attack.
# ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
add_header X-Content-Type-Options "nosniff" always;
# CSP modern XSS directive-based defence, used since 2014.
# ref.: http://content-security-policy.com/
#add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;";
# Heres an example accepting basically everything:
# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
# zonder 'unsafe-eval' (JavaScript)
# add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline';";
# Prevents from leaking referrer data over insecure connections.
# ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
#add_header Referrer-Policy 'strict-origin';
add_header Referrer-Policy "same-origin";
#Deny the use of browser features (Feature-Policy)
add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'; usb 'none';";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# . files
# location ~ /\.(?!well-known) {
# deny all;
# }
#Set-Cookie
# https://scotthelme.co.uk/tough-cookies/
#Set-Cookie: sess=123; path=/; SameSite=Lax
#Set-Cookie: sess=123; path=/; Secure
View git blame Copy permalink