add security headers

time spent: 0.5h

Author: Friz-zy

README.md

@@ -23,15 +23,15 @@ and it can't be just copied to usual nginx. However, you can use it with docker.
 Also I don't agree with nginx microcache for every site, see known traps.
 
 Time track:
-- [Filipp Frizzy](https://github.com/Friz-zy/) 35.34h
+- [Filipp Frizzy](https://github.com/Friz-zy/) 35.84h
 
 ### Configs
 
 #### Main configs
 Almost all sections moved from main `nginx.conf` into `conf.d` directory:
 
 * `basic.conf` 
-Basic settings, security, mime types, charset, index, timeouts, open file cache, etc...
+Basic settings, mime types, charset, index, timeouts, open file cache, etc...
 * `cache.conf` 
 Fastcgi, Proxy and Uwsgi cache setup, see known traps before using ;)
 * `gzip.conf` 
@@ -42,29 +42,31 @@ Extended log formats
 Allow X-Forwarded-For header from local networks and [cloudflare](https://www.cloudflare.com/)
 * `request_id.conf` 
 Add X-Request-ID header into each request for tracing and debugging
+* `security.conf` 
+Security settings and headers
 * `ssl.conf` 
 SSL best practice from [mozilla](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4)
 
 #### Snippets
 Templates and includes. You can also use [config generator](https://www.digitalocean.com/community/tools/nginx) from digitalocean :)
 
-* corps.conf.j2 
+* `corps.conf.j2` 
 Template of corps politic for multiple subdomains setup
-* default.conf 
+* `default.conf` 
 Example of default config with nginx_status, let's encrypt check and redirect to https
-* fastcgi.conf 
+* `fastcgi.conf` 
 Include for php locations: fastcgi parameters, timeouts and cache example
-* headers.conf 
+* `headers.conf` 
 Include with all headers, see known traps
-* protected_locations.conf 
+* `protected_locations.conf` 
 Include with protected locations with 'deny all'
-* proxy.conf 
+* `proxy.conf` 
 Include for proxy locations: proxy headers, parameters, timeouts and cache example
-* referer.conf.j2 
+* `referer.conf.j2` 
 Template of referer protection for cases when you concurents use your fail2ban protection against you, see known traps
-* site.conf.j2 
+* `site.conf.j2` 
 Template of common site configuration
-* static_location.conf 
+* `static_location.conf` 
 Include with location for static files
 
 #### Docker-compose

conf.d/basic.conf

@@ -4,7 +4,6 @@
 sendfile on; # default is off
 tcp_nopush on; # default is off
 tcp_nodelay on;
-server_tokens off; # default is on
 
 include /etc/nginx/mime.types;
 default_type application/octet-stream; # default is text/plain

conf.d/security.conf

@@ -0,0 +1,18 @@
+server_tokens off; # default is on
+
+# source: https://www.digitalocean.com/community/tools/nginx
+# you can check result here: https://securityheaders.com
+
+# disable or modify if your site should work in iframes
+add_header X-Frame-Options "SAMEORIGIN" always;
+
+add_header X-XSS-Protection "1; mode=block" always;
+
+add_header X-Content-Type-Options "nosniff" always;
+
+add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+# disable if some of your pages should work through http also
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

snippets/headers.conf

@@ -1,3 +1,24 @@
 add_header X-Request-ID $requestid always;
 # add_header X-Cache-Status $upstream_cache_status always;
 # add_header "Access-Control-Allow-Origin" "$corps_origin";
+
+
+
+# Security headers
+# source: https://www.digitalocean.com/community/tools/nginx
+# you can check result here: https://securityheaders.com
+
+# disable or modify if your site should work in iframes
+add_header X-Frame-Options "SAMEORIGIN" always;
+
+add_header X-XSS-Protection "1; mode=block" always;
+
+add_header X-Content-Type-Options "nosniff" always;
+
+add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+# disable if some of your pages should work through http also
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+