diff --git a/doc/nginx/sites-available/authentic.conf b/doc/nginx/sites-available/authentic.conf index 0ab7170..35f8339 100644 --- a/doc/nginx/sites-available/authentic.conf +++ b/doc/nginx/sites-available/authentic.conf @@ -14,18 +14,28 @@ server { /var/lib/authentic2-multitenant/tenants/$host/theme/static/$1 /var/lib/authentic2-multitenant/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/authentic2-multitenant/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { alias /var/lib/authentic2-multitenant/www/robots.txt; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location / { - add_header 'Access-Control-Allow-Origin' '*'; proxy_pass http://unix:/var/run/authentic2-multitenant/authentic2-multitenant.sock; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-SSL on; @@ -33,6 +43,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/bijoe.conf b/doc/nginx/sites-available/bijoe.conf index 67dd5aa..6e7874e 100644 --- a/doc/nginx/sites-available/bijoe.conf +++ b/doc/nginx/sites-available/bijoe.conf @@ -14,10 +14,18 @@ server { /var/lib/bijoe/tenants/$host/theme/static/$1 /var/lib/bijoe/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/bijoe/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -32,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/chrono.conf b/doc/nginx/sites-available/chrono.conf index 4a51b44..3a14f52 100644 --- a/doc/nginx/sites-available/chrono.conf +++ b/doc/nginx/sites-available/chrono.conf @@ -14,10 +14,18 @@ server { /var/lib/chrono/tenants/$host/theme/static/$1 /var/lib/chrono/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/chrono/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -32,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/combo.conf b/doc/nginx/sites-available/combo.conf index e15d71b..e7c554f 100644 --- a/doc/nginx/sites-available/combo.conf +++ b/doc/nginx/sites-available/combo.conf @@ -14,11 +14,18 @@ server { /var/lib/combo/tenants/$host/theme/static/$1 /var/lib/combo/collectstatic/$1 =404; - add_header 'Access-Control-Allow-Origin' '*'; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/combo/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -33,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/corbo.conf b/doc/nginx/sites-available/corbo.conf index aeb7b03..37a88e9 100644 --- a/doc/nginx/sites-available/corbo.conf +++ b/doc/nginx/sites-available/corbo.conf @@ -14,10 +14,18 @@ server { /var/lib/corbo/tenants/$host/theme/static/$1 /var/lib/corbo/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/corbo/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -32,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/fargo.conf b/doc/nginx/sites-available/fargo.conf index 8614e48..6442c0c 100644 --- a/doc/nginx/sites-available/fargo.conf +++ b/doc/nginx/sites-available/fargo.conf @@ -14,6 +14,11 @@ server { /var/lib/fargo/tenants/$host/theme/static/$1 /var/lib/fargo/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location /robots.txt { @@ -28,6 +33,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/hobo.conf b/doc/nginx/sites-available/hobo.conf index 26f944e..6f88764 100644 --- a/doc/nginx/sites-available/hobo.conf +++ b/doc/nginx/sites-available/hobo.conf @@ -14,10 +14,18 @@ server { /var/lib/hobo/tenants/$host/theme/static/$1 /var/lib/hobo/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/hobo/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -32,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/mandayejs.conf b/doc/nginx/sites-available/mandayejs.conf index 8a1034e..f46d84d 100644 --- a/doc/nginx/sites-available/mandayejs.conf +++ b/doc/nginx/sites-available/mandayejs.conf @@ -14,10 +14,18 @@ server { /var/lib/mandayejs/tenants/$host/theme/static/$1 /var/lib/mandayejs/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/mandayejs/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -32,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/passerelle.conf b/doc/nginx/sites-available/passerelle.conf index aeb2cf0..1529af7 100644 --- a/doc/nginx/sites-available/passerelle.conf +++ b/doc/nginx/sites-available/passerelle.conf @@ -14,6 +14,11 @@ server { /var/lib/passerelle/tenants/$host/theme/static/$1 /var/lib/passerelle/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location /robots.txt { @@ -28,6 +33,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/wcs.conf b/doc/nginx/sites-available/wcs.conf index cce4f7c..6a4ee1f 100644 --- a/doc/nginx/sites-available/wcs.conf +++ b/doc/nginx/sites-available/wcs.conf @@ -14,10 +14,18 @@ server { /var/lib/wcs/$host/theme/static/$1 /var/lib/wcs/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/wcs/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -25,7 +33,6 @@ server { } location / { - add_header 'Access-Control-Allow-Origin' '*'; proxy_pass http://unix:/var/run/wcs/wcs.sock; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-SSL on; @@ -33,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/sites-available/welco.conf b/doc/nginx/sites-available/welco.conf index a01d286..801825b 100644 --- a/doc/nginx/sites-available/welco.conf +++ b/doc/nginx/sites-available/welco.conf @@ -14,10 +14,18 @@ server { /var/lib/welco/tenants/$host/theme/static/$1 /var/lib/welco/collectstatic/$1 =404; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; + add_header 'Access-Control-Allow-Origin' '*'; + include snippets/gzip-statics.conf; } location ~ ^/media/(.+)$ { alias /var/lib/welco/tenants/$host/media/$1; + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; + add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';"; } location /robots.txt { @@ -32,6 +40,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - + add_header 'X-Content-Type-Options' 'nosniff'; + add_header 'X-XSS-Protection' '1; mode=block'; } } diff --git a/doc/nginx/snippets/gzip-statics.conf b/doc/nginx/snippets/gzip-statics.conf new file mode 100644 index 0000000..33898e8 --- /dev/null +++ b/doc/nginx/snippets/gzip-statics.conf @@ -0,0 +1,19 @@ +# to be used in location /static : +# +# location ~ ^/static/(.+)$ { +# root /; +# include snippets/gzip-statics.conf; +# try_files ... =404; +# } +# + +gzip on; +gzip_disable "msie6"; + +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_types text/css application/javascript; +