summaryrefslogtreecommitdiffstats
path: root/theos/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'theos/nginx')
-rw-r--r--theos/nginx/git_kyriasis_com.sls9
-rw-r--r--theos/nginx/xan_kyriasis_com.sls11
2 files changed, 20 insertions, 0 deletions
diff --git a/theos/nginx/git_kyriasis_com.sls b/theos/nginx/git_kyriasis_com.sls
index 8c88d12..7eded7a 100644
--- a/theos/nginx/git_kyriasis_com.sls
+++ b/theos/nginx/git_kyriasis_com.sls
@@ -30,6 +30,15 @@ nginx:
- ssl_stapling_verify: 'on'
- ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
# Enable the Cross-site scripting filter in most recent browsers.
# Normally enabled by default, but enable it anyway if user has disabled it.
- add_header: 'X-XSS-Protection "1; mode=block"'
diff --git a/theos/nginx/xan_kyriasis_com.sls b/theos/nginx/xan_kyriasis_com.sls
index 267ccdb..52a7cca 100644
--- a/theos/nginx/xan_kyriasis_com.sls
+++ b/theos/nginx/xan_kyriasis_com.sls
@@ -30,6 +30,17 @@ nginx:
- ssl_stapling_verify: 'on'
- ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem
+ - error_log: /var/log/nginx/xan.error.log
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
# Enable the Cross-site scripting filter in most recent browsers.
# Normally enabled by default, but enable it anyway if user has disabled it.
- add_header: 'X-XSS-Protection "1; mode=block"'