doc/nginx: add add "security" HTTP headers
This commit is contained in:
parent
79156d98a0
commit
266537bc6e
|
@ -14,18 +14,28 @@ server {
|
|||
/var/lib/authentic2-multitenant/tenants/$host/theme/static/$1
|
||||
/var/lib/authentic2-multitenant/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/authentic2-multitenant/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/authentic2-multitenant/www/robots.txt;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location / {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
proxy_pass http://unix:/var/run/authentic2-multitenant/authentic2-multitenant.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
|
@ -33,6 +43,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/bijoe/tenants/$host/theme/static/$1
|
||||
/var/lib/bijoe/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/bijoe/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -32,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/chrono/tenants/$host/theme/static/$1
|
||||
/var/lib/chrono/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/chrono/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -32,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,11 +14,18 @@ server {
|
|||
/var/lib/combo/tenants/$host/theme/static/$1
|
||||
/var/lib/combo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/combo/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -33,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/corbo/tenants/$host/theme/static/$1
|
||||
/var/lib/corbo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/corbo/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -32,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,6 +14,11 @@ server {
|
|||
/var/lib/fargo/tenants/$host/theme/static/$1
|
||||
/var/lib/fargo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -28,6 +33,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/hobo/tenants/$host/theme/static/$1
|
||||
/var/lib/hobo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/hobo/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -32,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/mandayejs/tenants/$host/theme/static/$1
|
||||
/var/lib/mandayejs/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/mandayejs/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -32,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,6 +14,11 @@ server {
|
|||
/var/lib/passerelle/tenants/$host/theme/static/$1
|
||||
/var/lib/passerelle/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -28,6 +33,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/wcs/$host/theme/static/$1
|
||||
/var/lib/wcs/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/wcs/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -25,7 +33,6 @@ server {
|
|||
}
|
||||
|
||||
location / {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
proxy_pass http://unix:/var/run/wcs/wcs.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
|
@ -33,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,10 +14,18 @@ server {
|
|||
/var/lib/welco/tenants/$host/theme/static/$1
|
||||
/var/lib/welco/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/gzip-statics.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/welco/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline';";
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
|
@ -32,6 +40,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
# to be used in location /static :
|
||||
#
|
||||
# location ~ ^/static/(.+)$ {
|
||||
# root /;
|
||||
# include snippets/gzip-statics.conf;
|
||||
# try_files ... =404;
|
||||
# }
|
||||
#
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/css application/javascript;
|
||||
|
Loading…
Reference in New Issue