nginx: Sett STS, X-Frame-Options, and XCTO everywhere

Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
author: Johannes Löthberg <johannes@kyriasis.com> 2017-01-10 16:40:27 +0000
committer: Johannes Löthberg <johannes@kyriasis.com> 2017-01-10 16:40:27 +0000
commit: e066729ddd8379c84b8b59a3876f832f3e657677 (patch)
tree: 8f4e27b7f75013c00ad219f21302168ab31f0b7d /theos
parent: 9638d1a73f99612d514e1f8554f4a6277a429977 (diff)
download: pillar-e066729ddd8379c84b8b59a3876f832f3e657677.tar.xz
2 files changed, 20 insertions, 0 deletions
diff --git a/theos/nginx/git_kyriasis_com.sls b/theos/nginx/git_kyriasis_com.sls
index 8c88d12..7eded7a 100644
--- a/theos/nginx/git_kyriasis_com.sls
+++ b/theos/nginx/git_kyriasis_com.sls
@@ -30,6 +30,15 @@ nginx:
               - ssl_stapling_verify: 'on'
               - ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem
 
+              # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+              - add_header: 'Strict-Transport-Security "max-age=31536000"' 
+
+              # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+              - add_header: X-Frame-Options SAMEORIGIN
+
+              # Tell browsers to not try to auto-detect the Content-Type.
+              - add_header: X-Content-Type-Options nosniff
+
               # Enable the Cross-site scripting filter in most recent browsers.
               # Normally enabled by default, but enable it anyway if user has disabled it.
               - add_header: 'X-XSS-Protection "1; mode=block"'
diff --git a/theos/nginx/xan_kyriasis_com.sls b/theos/nginx/xan_kyriasis_com.sls
index 267ccdb..52a7cca 100644
--- a/theos/nginx/xan_kyriasis_com.sls
+++ b/theos/nginx/xan_kyriasis_com.sls
@@ -30,6 +30,17 @@ nginx:
               - ssl_stapling_verify: 'on'
               - ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem
 
+              - error_log: /var/log/nginx/xan.error.log
+
+              # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+              - add_header: 'Strict-Transport-Security "max-age=31536000"' 
+
+              # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+              - add_header: X-Frame-Options SAMEORIGIN
+
+              # Tell browsers to not try to auto-detect the Content-Type.
+              - add_header: X-Content-Type-Options nosniff
+
               # Enable the Cross-site scripting filter in most recent browsers.
               # Normally enabled by default, but enable it anyway if user has disabled it.
               - add_header: 'X-XSS-Protection "1; mode=block"'
author	Johannes Löthberg <johannes@kyriasis.com>	2017-01-10 16:40:27 +0000
committer	Johannes Löthberg <johannes@kyriasis.com>	2017-01-10 16:40:27 +0000
commit	e066729ddd8379c84b8b59a3876f832f3e657677 (patch)
tree	8f4e27b7f75013c00ad219f21302168ab31f0b7d /theos
parent	9638d1a73f99612d514e1f8554f4a6277a429977 (diff)
download	pillar-e066729ddd8379c84b8b59a3876f832f3e657677.tar.xz