summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Löthberg <johannes@kyriasis.com>2017-01-10 16:40:27 +0000
committerJohannes Löthberg <johannes@kyriasis.com>2017-01-10 16:40:27 +0000
commite066729ddd8379c84b8b59a3876f832f3e657677 (patch)
tree8f4e27b7f75013c00ad219f21302168ab31f0b7d
parent9638d1a73f99612d514e1f8554f4a6277a429977 (diff)
downloadpillar-e066729ddd8379c84b8b59a3876f832f3e657677.tar.xz
nginx: Sett STS, X-Frame-Options, and XCTO everywhere
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
-rw-r--r--theos/nginx/git_kyriasis_com.sls9
-rw-r--r--theos/nginx/xan_kyriasis_com.sls11
2 files changed, 20 insertions, 0 deletions
diff --git a/theos/nginx/git_kyriasis_com.sls b/theos/nginx/git_kyriasis_com.sls
index 8c88d12..7eded7a 100644
--- a/theos/nginx/git_kyriasis_com.sls
+++ b/theos/nginx/git_kyriasis_com.sls
@@ -30,6 +30,15 @@ nginx:
- ssl_stapling_verify: 'on'
- ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
# Enable the Cross-site scripting filter in most recent browsers.
# Normally enabled by default, but enable it anyway if user has disabled it.
- add_header: 'X-XSS-Protection "1; mode=block"'
diff --git a/theos/nginx/xan_kyriasis_com.sls b/theos/nginx/xan_kyriasis_com.sls
index 267ccdb..52a7cca 100644
--- a/theos/nginx/xan_kyriasis_com.sls
+++ b/theos/nginx/xan_kyriasis_com.sls
@@ -30,6 +30,17 @@ nginx:
- ssl_stapling_verify: 'on'
- ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem
+ - error_log: /var/log/nginx/xan.error.log
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
# Enable the Cross-site scripting filter in most recent browsers.
# Normally enabled by default, but enable it anyway if user has disabled it.
- add_header: 'X-XSS-Protection "1; mode=block"'