mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-25 07:47:05 +00:00
updates on nginx security headers
This commit is contained in:
parent
f1bc7187b2
commit
0392b07008
@ -36,6 +36,8 @@
|
|||||||
add_header X-Frame-Options "DENY";
|
add_header X-Frame-Options "DENY";
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none';";
|
add_header Content-Security-Policy "frame-ancestors 'none';";
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
add_header Referrer-Policy "strict-origin";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Nextcloud configuration.
|
# Nextcloud configuration.
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'";
|
|
||||||
add_header Referrer-Policy "strict-origin";
|
|
@ -211,10 +211,15 @@ def make_domain_config(domain, templates, ssl_certificates, env):
|
|||||||
|
|
||||||
# Add the HSTS header.
|
# Add the HSTS header.
|
||||||
if hsts == "yes":
|
if hsts == "yes":
|
||||||
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000\" always;\n"
|
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n"
|
||||||
elif hsts == "preload":
|
elif hsts == "preload":
|
||||||
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n"
|
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n"
|
||||||
|
|
||||||
|
nginx_conf_extra += "\tadd_header X-Frame-Options \"SAMEORIGIN\" always;\n"
|
||||||
|
nginx_conf_extra += "\tadd_header X-Content-Type-Options nosniff;\n"
|
||||||
|
nginx_conf_extra += "\tadd_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'\";\n"
|
||||||
|
nginx_conf_extra += "\tadd_header Referrer-Policy \"strict-origin\";\n"
|
||||||
|
|
||||||
# Add in any user customizations in the includes/ folder.
|
# Add in any user customizations in the includes/ folder.
|
||||||
nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
|
nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
|
||||||
if os.path.exists(nginx_conf_custom_include):
|
if os.path.exists(nginx_conf_custom_include):
|
||||||
|
@ -156,8 +156,6 @@ if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then
|
|||||||
cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/
|
cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cp -f conf/nginx/security.conf /etc/nginx/sites-enabled/
|
|
||||||
|
|
||||||
# touch logfiles that might not exist
|
# touch logfiles that might not exist
|
||||||
touch /var/log/nginx/geoipblock.log
|
touch /var/log/nginx/geoipblock.log
|
||||||
chown www-data /var/log/nginx/geoipblock.log
|
chown www-data /var/log/nginx/geoipblock.log
|
||||||
|
Loading…
Reference in New Issue
Block a user