From e066729ddd8379c84b8b59a3876f832f3e657677 Mon Sep 17 00:00:00 2001 From: Johannes Löthberg Date: Tue, 10 Jan 2017 16:40:27 +0000 Subject: nginx: Sett STS, X-Frame-Options, and XCTO everywhere MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Johannes Löthberg --- theos/nginx/git_kyriasis_com.sls | 9 +++++++++ theos/nginx/xan_kyriasis_com.sls | 11 +++++++++++ 2 files changed, 20 insertions(+) (limited to 'theos/nginx') diff --git a/theos/nginx/git_kyriasis_com.sls b/theos/nginx/git_kyriasis_com.sls index 8c88d12..7eded7a 100644 --- a/theos/nginx/git_kyriasis_com.sls +++ b/theos/nginx/git_kyriasis_com.sls @@ -30,6 +30,15 @@ nginx: - ssl_stapling_verify: 'on' - ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem + # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + - add_header: 'Strict-Transport-Security "max-age=31536000"' + + # Tell browsers not to render the page inside a frame, and avoid clickjacking. + - add_header: X-Frame-Options SAMEORIGIN + + # Tell browsers to not try to auto-detect the Content-Type. + - add_header: X-Content-Type-Options nosniff + # Enable the Cross-site scripting filter in most recent browsers. # Normally enabled by default, but enable it anyway if user has disabled it. - add_header: 'X-XSS-Protection "1; mode=block"' diff --git a/theos/nginx/xan_kyriasis_com.sls b/theos/nginx/xan_kyriasis_com.sls index 267ccdb..52a7cca 100644 --- a/theos/nginx/xan_kyriasis_com.sls +++ b/theos/nginx/xan_kyriasis_com.sls @@ -30,6 +30,17 @@ nginx: - ssl_stapling_verify: 'on' - ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem + - error_log: /var/log/nginx/xan.error.log + + # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + - add_header: 'Strict-Transport-Security "max-age=31536000"' + + # Tell browsers not to render the page inside a frame, and avoid clickjacking. + - add_header: X-Frame-Options SAMEORIGIN + + # Tell browsers to not try to auto-detect the Content-Type. + - add_header: X-Content-Type-Options nosniff + # Enable the Cross-site scripting filter in most recent browsers. # Normally enabled by default, but enable it anyway if user has disabled it. - add_header: 'X-XSS-Protection "1; mode=block"' -- cgit v1.2.3-70-g09d2