From 2c8d784fd75d045a51e476d966c27ce38447b452 Mon Sep 17 00:00:00 2001 From: VC Date: Wed, 8 Jan 2020 19:21:43 +0100 Subject: [PATCH] Adding security headers for NginX --- roles/nginx/templates/nginx.ssl.conf.j2 | 5 +++++ roles/nginx/templates/proxy_params.j2 | 4 ++++ roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 | 1 + 3 files changed, 10 insertions(+) diff --git a/roles/nginx/templates/nginx.ssl.conf.j2 b/roles/nginx/templates/nginx.ssl.conf.j2 index acad5b2..712dd41 100644 --- a/roles/nginx/templates/nginx.ssl.conf.j2 +++ b/roles/nginx/templates/nginx.ssl.conf.j2 @@ -24,3 +24,8 @@ ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + + # Other security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; diff --git a/roles/nginx/templates/proxy_params.j2 b/roles/nginx/templates/proxy_params.j2 index d07ddff..1b7b18d 100644 --- a/roles/nginx/templates/proxy_params.j2 +++ b/roles/nginx/templates/proxy_params.j2 @@ -7,3 +7,7 @@ proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header Strict-Transport-Security; +proxy_hide_header X-Frame-Options; +proxy_hide_header X-Xss-Protection; +proxy_hide_header X-Content-Type-Options; + diff --git a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 index 8f08f6b..9e81189 100644 --- a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 @@ -1,6 +1,7 @@ server { {% include './templates/header.conf.j2' %} + add_header Strict-Transport-Security "max-age=15768000" always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none;