# Configure secure access with letsencrypt
ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
include                   /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache         shared:SSL:1m;

# Add some basic security headers from OWASP
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
add_header                Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                    always;
add_header                X-Frame-Options                "DENY"                                                             always;
add_header                X-XSS-Protection               "0"                                                                always;
add_header                X-Content-Type-Options         "nosniff"                                                          always;
add_header                Referrer-Policy                "strict-origin-when-cross-origin"                                  always;
add_header                Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"  always;
add_header                Cross-Origin-Opener-Policy     "same-origin"                                                      always;
add_header                Cross-Origin-Resource-Policy   "same-site"                                                        always;
add_header                Permissions-Policy             "geolocation=(), camera=(), microphone=()"                         always;
add_header                Server                         "webserver"                                                        always;
add_header                X-Robots-Tag                   "noindex, nofollow"                                                always;