repsys: use security headers snippet

Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>

1 files changed, 3 insertions, 12 deletions

diff --git a/nginx/repsys_kyriasis_com.sls b/nginx/repsys_kyriasis_com.sls
index e2e7a65..f42de25 100644
--- a/nginx/repsys_kyriasis_com.sls
+++ b/nginx/repsys_kyriasis_com.sls
@@ -9,6 +9,8 @@ nginx:
             - listen: 80
             - listen: '[::]:80'
 
+            - include: snippets/security_headers.conf
+
             - location /.well-known/acme-challenge:
               - root: /srv/http
 
@@ -30,18 +32,7 @@ nginx:
             - ssl_stapling_verify: 'on'
             - ssl_trusted_certificate: /etc/letsencrypt/live/repsys.kyriasis.com/fullchain.pem
 
-            # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
-            - add_header: 'Strict-Transport-Security "max-age=31536000"'
-
-            # Tell browsers not to render the page inside a frame, and avoid clickjacking.
-            - add_header: X-Frame-Options SAMEORIGIN
-
-            # Tell browsers to not try to auto-detect the Content-Type.
-            - add_header: X-Content-Type-Options nosniff
-
-            # Enable the Cross-site scripting filter in most recent browsers.
-            # Normally enabled by default, but enable it anyway if user has disabled it.
-            - add_header: 'X-XSS-Protection "1; mode=block"'
+            - include: snippets/security_headers.conf
 
             # http://www.gnuterrypratchett.com/
             - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'