hardened nginx

author: schererleander <leander@schererleander.de> 2025-05-30 06:29:10 +0200
committer: schererleander <leander@schererleander.de> 2025-05-30 06:29:10 +0200
commit: 82ce430ecd75ce899beb4c700e3e0c78c8407637 (patch)
tree: c54a290c2d8842639f2831c77a9ebc5d9e32bf4c /hosts/vps
parent: cb387bed883997c28b86281809ad05990329efd9 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index 0030da6..3e5f929 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -56,7 +56,16 @@
           https   "max-age=31536000; includeSubdomains; preload";
       }
       add_header Strict-Transport-Security $hsts_header;
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      add_header Content-Security-Policy
+      "default-src 'self'; \
+       script-src 'self'; \
+       style-src 'self'; \
+       img-src 'self' data:; \
+       font-src 'self'; \
+       connect-src 'self'; \
+       object-src 'none'; \
+       frame-ancestors 'none'; \
+       base-uri 'self';";
       add_header 'Referrer-Policy' 'same-origin';
       add_header X-Frame-Options DENY;
       add_header X-Content-Type-Options nosniff;
author	schererleander <leander@schererleander.de>	2025-05-30 06:29:10 +0200
committer	schererleander <leander@schererleander.de>	2025-05-30 06:29:10 +0200
commit	82ce430ecd75ce899beb4c700e3e0c78c8407637 (patch)
tree	c54a290c2d8842639f2831c77a9ebc5d9e32bf4c /hosts/vps
parent	cb387bed883997c28b86281809ad05990329efd9 (diff)