From cf6eac0d0c33ba6933d48189de4ac1a78ac3bf01 Mon Sep 17 00:00:00 2001
From: KiekerJan <github@kiekerjan.isdronken.nl>
Date: Mon, 2 Aug 2021 00:05:12 +0200
Subject: [PATCH] add nginx security headers

---
 conf/nginx/security.conf | 5 +++++
 setup/web.sh             | 2 ++
 2 files changed, 7 insertions(+)
 create mode 100644 conf/nginx/security.conf

diff --git a/conf/nginx/security.conf b/conf/nginx/security.conf
new file mode 100644
index 00000000..fb871805
--- /dev/null
+++ b/conf/nginx/security.conf
@@ -0,0 +1,5 @@
+add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options nosniff;
+add_header Content-Security-Policy-Report-Only "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'";
+add_header Referrer-Policy "strict-origin";
diff --git a/setup/web.sh b/setup/web.sh
index 3a8fc81b..12133fe2 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -156,6 +156,8 @@ if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then
     cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/
 fi
 
+cp -f conf/nginx/security.conf /etc/nginx/sites-enabled/
+
 # touch logfiles that might not exist
 touch /var/log/nginx/geoipblock.log
 chown www-data /var/log/nginx/geoipblock.log