fix: ngix security headers

2026-02-14 21:15:08 +01:00
parent f575c4f0d9
commit f3c441db2b
4 changed files with 49 additions and 20 deletions
--- a/files/nginx/0_security.conf
+++ b/files/nginx/0_security.conf
@@ -14,14 +14,17 @@ resolver                     127.0.0.1;

 # Add some basic security headers from OWASP
 # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
-add_header                   Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                      always;
-add_header                   X-Frame-Options                "DENY"                                                               always;
-add_header                   X-XSS-Protection               "0"                                                                  always;
-add_header                   X-Content-Type-Options         "nosniff"                                                            always;
-add_header                   Referrer-Policy                "strict-origin-when-cross-origin"                                    always;
-add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
-add_header                   Cross-Origin-Opener-Policy     "same-origin"                                                        always;
-add_header                   Cross-Origin-Resource-Policy   "same-site"                                                          always;
-add_header                   Permissions-Policy             "geolocation=(), camera=(), microphone=()"                           always;
-add_header                   Server                         "webserver"                                                          always;
-add_header                   X-Robots-Tag                   "noindex, nofollow"                                                  always;
+# And Nextcloud doc
+# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html
+add_header                   Strict-Transport-Security            "max-age=63072000; includeSubDomains; preload;"                                      always;
+add_header                   X-Frame-Options                      "sameorigin"                                                                         always;
+add_header                   X-XSS-Protection                     "1;mode=block"                                                                       always;
+add_header                   X-Content-Type-Options               "nosniff"                                                                            always;
+add_header                   X-Permitted-Cross-Domain-Policies    "none"                                                                               always;
+add_header                   Referrer-Policy                      "strict-origin-when-cross-origin"                                                    always;
+add_header                   Content-Security-Policy              "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Cross-Origin-Opener-Policy           "same-origin"                                                                        always;
+add_header                   Cross-Origin-Resource-Policy         "same-site"                                                                          always;
+add_header                   Permissions-Policy                   "geolocation=(), camera=(), microphone=()"                                           always;
+add_header                   Server                               "webserver"                                                                          always;
+add_header                   X-Robots-Tag                         "noindex, nofollow"                                                                  always;