Commit dc52ca8e authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

planet: add CSP headers

parent 6c35b76a
......@@ -19,6 +19,7 @@
with_items:
- letsencrypt.conf
- sslsettings.conf
- headers.conf
notify:
- reload nginx
......
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
......@@ -68,6 +68,7 @@ http {
access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_http main;
include snippets/sslsettings.conf;
include snippets/headers.conf;
include nginx.d/*.conf;
}
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header x-xss-protection "1; mode=block";
......@@ -11,9 +11,3 @@ ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
......@@ -3,6 +3,9 @@
- name: install git, python2, libxslt
pacman: name=git,python2,libxslt state=present
- name: copy nginx header snipper
template: src=headers.conf dest=/etc/nginx/snippets/planet_headers.conf owner=root group=root mode=0644
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/planet.conf owner=root group=root mode=0644
notify:
......
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header x-xss-protection "1; mode=block";
add_header content-security-policy "script-src 'none'; style-src 'unsafe-inline' www.archlinux.org;";
......@@ -7,6 +7,8 @@ server {
error_log /var/log/nginx/{{ planet_domain }}/error.log;
include snippets/letsencrypt.conf;
include snippets/headers.conf;
include snippets/planet_headers.conf;
location / {
access_log off;
......@@ -19,6 +21,9 @@ server {
listen [::]:443 ssl http2;
server_name {{ planet_domain }};
include snippets/headers.conf;
include snippets/planet_headers.conf;
access_log /var/log/nginx/{{ planet_domain }}/access.log reduced;
error_log /var/log/nginx/{{ planet_domain }}/error.log;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment