From 616fd3160ebeb80b12e5fc826b10e32abd96bbd8 Mon Sep 17 00:00:00 2001
From: Johannes Löthberg <johannes@kyriasis.com>
Date: Thu, 30 May 2019 17:35:41 +0200
Subject: repsys: use security headers snippet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
---
 nginx/repsys_kyriasis_com.sls | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/nginx/repsys_kyriasis_com.sls b/nginx/repsys_kyriasis_com.sls
index e2e7a65..f42de25 100644
--- a/nginx/repsys_kyriasis_com.sls
+++ b/nginx/repsys_kyriasis_com.sls
@@ -9,6 +9,8 @@ nginx:
             - listen: 80
             - listen: '[::]:80'
 
+            - include: snippets/security_headers.conf
+
             - location /.well-known/acme-challenge:
               - root: /srv/http
 
@@ -30,18 +32,7 @@ nginx:
             - ssl_stapling_verify: 'on'
             - ssl_trusted_certificate: /etc/letsencrypt/live/repsys.kyriasis.com/fullchain.pem
 
-            # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
-            - add_header: 'Strict-Transport-Security "max-age=31536000"'
-
-            # Tell browsers not to render the page inside a frame, and avoid clickjacking.
-            - add_header: X-Frame-Options SAMEORIGIN
-
-            # Tell browsers to not try to auto-detect the Content-Type.
-            - add_header: X-Content-Type-Options nosniff
-
-            # Enable the Cross-site scripting filter in most recent browsers.
-            # Normally enabled by default, but enable it anyway if user has disabled it.
-            - add_header: 'X-XSS-Protection "1; mode=block"'
+            - include: snippets/security_headers.conf
 
             # http://www.gnuterrypratchett.com/
             - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'
-- 
cgit v1.2.3-54-g00ecf