From cf6eac0d0c33ba6933d48189de4ac1a78ac3bf01 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Mon, 2 Aug 2021 00:05:12 +0200 Subject: [PATCH] add nginx security headers --- conf/nginx/security.conf | 5 +++++ setup/web.sh | 2 ++ 2 files changed, 7 insertions(+) create mode 100644 conf/nginx/security.conf diff --git a/conf/nginx/security.conf b/conf/nginx/security.conf new file mode 100644 index 00000000..fb871805 --- /dev/null +++ b/conf/nginx/security.conf @@ -0,0 +1,5 @@ +add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Content-Type-Options nosniff; +add_header Content-Security-Policy-Report-Only "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'"; +add_header Referrer-Policy "strict-origin"; diff --git a/setup/web.sh b/setup/web.sh index 3a8fc81b..12133fe2 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -156,6 +156,8 @@ if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/ fi +cp -f conf/nginx/security.conf /etc/nginx/sites-enabled/ + # touch logfiles that might not exist touch /var/log/nginx/geoipblock.log chown www-data /var/log/nginx/geoipblock.log