From 9a3d3bf038384362da697689d77d6b7cda00a3de Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sat, 19 Jan 2019 12:15:47 +0100
Subject: [PATCH] configs: add security headers

For more information, see https://securityheaders.com/?q=fic.srs.epita.fr&hide=on&followRedirects=on
---
 configs/nginx-demo.conf | 6 ++++++
 configs/nginx-prod.conf | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/configs/nginx-demo.conf b/configs/nginx-demo.conf
index cf6ecee4..bc46041c 100644
--- a/configs/nginx-demo.conf
+++ b/configs/nginx-demo.conf
@@ -25,6 +25,12 @@ server {
         error_page 500 502 504 /e500.html;
 
         add_header Strict-Transport-Security max-age=31536000;
+        add_header X-Frame-Options deny;
+	add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
+	add_header X-Xss-Protection "1; mode=block";
+	add_header X-Content-Type-Options nosniff;
+	add_header Referrer-Policy strict-origin;
+	add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
 
         location = / {
             include fic-auth.conf;
diff --git a/configs/nginx-prod.conf b/configs/nginx-prod.conf
index f8dc78ff..a0e9c416 100644
--- a/configs/nginx-prod.conf
+++ b/configs/nginx-prod.conf
@@ -29,6 +29,12 @@ server {
         error_page 500 502 504 /e500.html;
 
         add_header Strict-Transport-Security max-age=31536000;
+        add_header X-Frame-Options deny;
+	add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
+	add_header X-Xss-Protection "1; mode=block";
+	add_header X-Content-Type-Options nosniff;
+	add_header Referrer-Policy strict-origin;
+	add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
 
         location = / {
             include fic-auth.conf;