mirror
/
takahe-deployment-examples
kopia lustrzana https://github.com/jointakahe/deployment-examples
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Tweak nginx example 

proxy_cookie_flags set secure and httponly
Fix Content-Security-Policy
Add more headers for security, like XSS-Protection
Add gpc.json
pull/1/head
Kromonos 2022-12-19 16:03:09 +01:00
rodzic 1dfafd79f9
commit e2d423ea6c
1 zmienionych plików z 12 dodań i 2 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

14
webserver/nginx.conf
Wyświetl plik

@ -41,7 +41,7 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
# Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_session_timeout 10m;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
@ -97,15 +97,25 @@ server {
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_cookie_flags ~ secure HttpOnly;
add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests;";
add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;";
add_header 'X-Robots-Tag' "index, follow, noimageindex, notranslate, noarchive";
add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubDomains; preload';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Permissions-Policy' 'geolocation=(), microphone=()';
add_header 'Access-Control-Allow-Origin' '*';
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /proxy/\nDisallow: /static/\nDisallow: /media/\nCrawl-delay: 1";
}
location = /.well-known/gpc.json {
add_header Content-Type application/json;
return 200 '{"gpc": true,"version": 1,"lastUpdate": "2022-12-16"}';
}
location ~* ^/(media|static) {
http2_push_preload on;
limit_req zone=taka_media burst=5 nodelay;