diff options
author | Johannes Löthberg <johannes@kyriasis.com> | 2017-01-10 16:40:27 +0000 |
---|---|---|
committer | Johannes Löthberg <johannes@kyriasis.com> | 2017-01-10 16:40:27 +0000 |
commit | e066729ddd8379c84b8b59a3876f832f3e657677 (patch) | |
tree | 8f4e27b7f75013c00ad219f21302168ab31f0b7d | |
parent | 9638d1a73f99612d514e1f8554f4a6277a429977 (diff) | |
download | pillar-e066729ddd8379c84b8b59a3876f832f3e657677.tar.xz |
nginx: Sett STS, X-Frame-Options, and XCTO everywhere
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
-rw-r--r-- | theos/nginx/git_kyriasis_com.sls | 9 | ||||
-rw-r--r-- | theos/nginx/xan_kyriasis_com.sls | 11 |
2 files changed, 20 insertions, 0 deletions
diff --git a/theos/nginx/git_kyriasis_com.sls b/theos/nginx/git_kyriasis_com.sls index 8c88d12..7eded7a 100644 --- a/theos/nginx/git_kyriasis_com.sls +++ b/theos/nginx/git_kyriasis_com.sls @@ -30,6 +30,15 @@ nginx: - ssl_stapling_verify: 'on' - ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem + # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + - add_header: 'Strict-Transport-Security "max-age=31536000"' + + # Tell browsers not to render the page inside a frame, and avoid clickjacking. + - add_header: X-Frame-Options SAMEORIGIN + + # Tell browsers to not try to auto-detect the Content-Type. + - add_header: X-Content-Type-Options nosniff + # Enable the Cross-site scripting filter in most recent browsers. # Normally enabled by default, but enable it anyway if user has disabled it. - add_header: 'X-XSS-Protection "1; mode=block"' diff --git a/theos/nginx/xan_kyriasis_com.sls b/theos/nginx/xan_kyriasis_com.sls index 267ccdb..52a7cca 100644 --- a/theos/nginx/xan_kyriasis_com.sls +++ b/theos/nginx/xan_kyriasis_com.sls @@ -30,6 +30,17 @@ nginx: - ssl_stapling_verify: 'on' - ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem + - error_log: /var/log/nginx/xan.error.log + + # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + - add_header: 'Strict-Transport-Security "max-age=31536000"' + + # Tell browsers not to render the page inside a frame, and avoid clickjacking. + - add_header: X-Frame-Options SAMEORIGIN + + # Tell browsers to not try to auto-detect the Content-Type. + - add_header: X-Content-Type-Options nosniff + # Enable the Cross-site scripting filter in most recent browsers. # Normally enabled by default, but enable it anyway if user has disabled it. - add_header: 'X-XSS-Protection "1; mode=block"' |