configs: add security headers

For more information, see https://securityheaders.com/?q=fic.srs.epita.fr&hide=on&followRedirects=on
This commit is contained in:
nemunaire 2019-01-19 12:15:47 +01:00
parent dfffb18de1
commit 9a3d3bf038
2 changed files with 12 additions and 0 deletions

View File

@ -25,6 +25,12 @@ server {
error_page 500 502 504 /e500.html;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options deny;
add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
location = / {
include fic-auth.conf;

View File

@ -29,6 +29,12 @@ server {
error_page 500 502 504 /e500.html;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options deny;
add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
location = / {
include fic-auth.conf;