hardened nginx

author: schererleander <leander@schererleander.de> 2025-05-30 06:14:56 +0200
committer: schererleander <leander@schererleander.de> 2025-05-30 06:14:56 +0200
commit: c8672e718fcb73d07ddab00b95eb45b53f1ffe0f (patch)
tree: d5a1166089ffb0813fa8c75ce62a0d5899b2db03 /hosts/vps
parent: 431be28ebd439cffaf7c2cd9216e5ea14952aab8 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index 3f0120f..b309502 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -51,6 +51,30 @@
 
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+
     virtualHosts."schererleander.de" = {
       root = "/var/www/site";
       sslCertificate    = "/etc/ssl/certs/schererleander.de.crt";
author	schererleander <leander@schererleander.de>	2025-05-30 06:14:56 +0200
committer	schererleander <leander@schererleander.de>	2025-05-30 06:14:56 +0200
commit	c8672e718fcb73d07ddab00b95eb45b53f1ffe0f (patch)
tree	d5a1166089ffb0813fa8c75ce62a0d5899b2db03 /hosts/vps
parent	431be28ebd439cffaf7c2cd9216e5ea14952aab8 (diff)