30 lines
2.2 KiB
Plaintext
30 lines
2.2 KiB
Plaintext
# Configure secure access with letsencrypt
|
|
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
|
|
# Add some ssl settings from Mozilla
|
|
# see: https://ssl-config.mozilla.org
|
|
ssl_protocols TLSv1.3;
|
|
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 127.0.0.1;
|
|
|
|
# Add some basic security headers from OWASP
|
|
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header X-XSS-Protection "0" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
add_header Cross-Origin-Resource-Policy "same-site" always;
|
|
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
|
add_header Server "webserver" always;
|
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
|
|
|
|