Add some basic secure headers

Part of #249
2017-03-08 21:33:30 -08:00
parent 9e99d51853
commit 4b3ef33989
1 changed files with 8 additions and 0 deletions
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -33,6 +33,14 @@ server {
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
    add_header X-Frame-Options "<%= xFrameOptions %>";

+    # https://github.com/twitter/secureheaders
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Download-Options "noopen";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-Permitted-Cross-Domain-Policies "none";
+
    proxy_http_version 1.1;
    proxy_intercept_errors on;
    proxy_read_timeout       3500;