doc/nginx: add add "security" HTTP headers

doc/nginx/sites-available/authentic.conf

@@ -14,18 +14,28 @@ server {
                       /var/lib/authentic2-multitenant/tenants/$host/theme/static/$1
                       /var/lib/authentic2-multitenant/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/authentic2-multitenant/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
             alias /var/lib/authentic2-multitenant/www/robots.txt;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location / {
-            add_header  'Access-Control-Allow-Origin' '*';
             proxy_pass         http://unix:/var/run/authentic2-multitenant/authentic2-multitenant.sock;
             proxy_set_header   Host $http_host;
             proxy_set_header   X-Forwarded-SSL on;
@@ -33,6 +43,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/bijoe.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/bijoe/tenants/$host/theme/static/$1
                       /var/lib/bijoe/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/bijoe/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -32,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/chrono.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/chrono/tenants/$host/theme/static/$1
                       /var/lib/chrono/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/chrono/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -32,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/combo.conf

@@ -14,11 +14,18 @@ server {
                       /var/lib/combo/tenants/$host/theme/static/$1
                       /var/lib/combo/collectstatic/$1
                       =404;
-	    add_header  'Access-Control-Allow-Origin' '*';
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/combo/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -33,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/corbo.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/corbo/tenants/$host/theme/static/$1
                       /var/lib/corbo/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/corbo/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -32,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/fargo.conf

@@ -14,6 +14,11 @@ server {
                       /var/lib/fargo/tenants/$host/theme/static/$1
                       /var/lib/fargo/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location /robots.txt {
@@ -28,6 +33,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/hobo.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/hobo/tenants/$host/theme/static/$1
                       /var/lib/hobo/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/hobo/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -32,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/mandayejs.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/mandayejs/tenants/$host/theme/static/$1
                       /var/lib/mandayejs/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/mandayejs/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -32,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/passerelle.conf

@@ -14,6 +14,11 @@ server {
                       /var/lib/passerelle/tenants/$host/theme/static/$1
                       /var/lib/passerelle/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location /robots.txt {
@@ -28,6 +33,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/wcs.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/wcs/$host/theme/static/$1
                       /var/lib/wcs/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/wcs/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -25,7 +33,6 @@ server {
         }
 
         location / {
-            add_header  'Access-Control-Allow-Origin' '*';
             proxy_pass         http://unix:/var/run/wcs/wcs.sock;
             proxy_set_header   Host $http_host;
             proxy_set_header   X-Forwarded-SSL on;
@@ -33,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/sites-available/welco.conf

@@ -14,10 +14,18 @@ server {
                       /var/lib/welco/tenants/$host/theme/static/$1
                       /var/lib/welco/collectstatic/$1
                       =404;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
+            add_header 'Access-Control-Allow-Origin' '*';
+            include snippets/gzip-statics.conf;
         }
 
         location ~ ^/media/(.+)$ {
             alias /var/lib/welco/tenants/$host/media/$1;
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
+            add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
         }
 
         location /robots.txt {
@@ -32,6 +40,7 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-
+            add_header 'X-Content-Type-Options' 'nosniff';
+            add_header 'X-XSS-Protection' '1; mode=block';
         }
 }

doc/nginx/snippets/gzip-statics.conf

@@ -0,0 +1,19 @@
+# to be used in location /static :
+#
+#     location ~ ^/static/(.+)$ {
+#         root /;
+#         include snippets/gzip-statics.conf;
+#         try_files ... =404;
+#     }
+#
+
+gzip on;
+gzip_disable "msie6";
+
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_http_version 1.1;
+gzip_types text/css application/javascript;
+