From 27fb01cc1a58e245793b10d78a0c114781d4ba16 Mon Sep 17 00:00:00 2001
From: schererleander <leander@schererleander.de>
Date: Fri, 30 May 2025 06:23:34 +0200
Subject: hardened nginx

---
 hosts/vps/configuration.nix | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

(limited to 'hosts')

diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index b309502..d688cf9 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -52,27 +52,14 @@
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
     appendHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
       map $scheme $hsts_header {
           https   "max-age=31536000; includeSubdomains; preload";
       }
       add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      add_header 'Referrer-Policy' same-origin always;
       add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      add_header X-Content-Type-Options nosniff always;
     '';
 
     virtualHosts."schererleander.de" = {
-- 
cgit v1.3.1