From e066729ddd8379c84b8b59a3876f832f3e657677 Mon Sep 17 00:00:00 2001
From: Johannes Löthberg <johannes@kyriasis.com>
Date: Tue, 10 Jan 2017 16:40:27 +0000
Subject: nginx: Sett STS, X-Frame-Options, and XCTO everywhere
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
---
 theos/nginx/git_kyriasis_com.sls |  9 +++++++++
 theos/nginx/xan_kyriasis_com.sls | 11 +++++++++++
 2 files changed, 20 insertions(+)

diff --git a/theos/nginx/git_kyriasis_com.sls b/theos/nginx/git_kyriasis_com.sls
index 8c88d12..7eded7a 100644
--- a/theos/nginx/git_kyriasis_com.sls
+++ b/theos/nginx/git_kyriasis_com.sls
@@ -30,6 +30,15 @@ nginx:
               - ssl_stapling_verify: 'on'
               - ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem
 
+              # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+              - add_header: 'Strict-Transport-Security "max-age=31536000"' 
+
+              # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+              - add_header: X-Frame-Options SAMEORIGIN
+
+              # Tell browsers to not try to auto-detect the Content-Type.
+              - add_header: X-Content-Type-Options nosniff
+
               # Enable the Cross-site scripting filter in most recent browsers.
               # Normally enabled by default, but enable it anyway if user has disabled it.
               - add_header: 'X-XSS-Protection "1; mode=block"'
diff --git a/theos/nginx/xan_kyriasis_com.sls b/theos/nginx/xan_kyriasis_com.sls
index 267ccdb..52a7cca 100644
--- a/theos/nginx/xan_kyriasis_com.sls
+++ b/theos/nginx/xan_kyriasis_com.sls
@@ -30,6 +30,17 @@ nginx:
               - ssl_stapling_verify: 'on'
               - ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem
 
+              - error_log: /var/log/nginx/xan.error.log
+
+              # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+              - add_header: 'Strict-Transport-Security "max-age=31536000"' 
+
+              # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+              - add_header: X-Frame-Options SAMEORIGIN
+
+              # Tell browsers to not try to auto-detect the Content-Type.
+              - add_header: X-Content-Type-Options nosniff
+
               # Enable the Cross-site scripting filter in most recent browsers.
               # Normally enabled by default, but enable it anyway if user has disabled it.
               - add_header: 'X-XSS-Protection "1; mode=block"'
-- 
cgit v1.2.3-54-g00ecf