add nginx security headers

conf/nginx/security.conf

@@ -0,0 +1,5 @@
+add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options nosniff;
+add_header Content-Security-Policy-Report-Only "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'";
+add_header Referrer-Policy "strict-origin";

setup/web.sh

@@ -156,6 +156,8 @@ if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then
     cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/
 fi
 
+cp -f conf/nginx/security.conf /etc/nginx/sites-enabled/
+
 # touch logfiles that might not exist
 touch /var/log/nginx/geoipblock.log
 chown www-data /var/log/nginx/geoipblock.log