diff options
| -rw-r--r-- | hosts/vps/configuration.nix | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 3f0120f..b309502 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -51,6 +51,30 @@ sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + virtualHosts."schererleander.de" = { root = "/var/www/site"; sslCertificate = "/etc/ssl/certs/schererleander.de.crt"; |