Skip to content

Commit

Permalink
update conf
Browse files Browse the repository at this point in the history
  • Loading branch information
DmyMi committed Apr 21, 2023
1 parent 64da9af commit f8146dd
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 63 deletions.
65 changes: 17 additions & 48 deletions includes/cache.conf
Original file line number Diff line number Diff line change
@@ -1,43 +1,26 @@
location ~* \.(?:json)$ {
add_header Cache-Control "no-store, no-cache, public, must-revalidate, proxy-revalidate, max-age=0";
add_header Pragma "no-cache";
etag off;
if_modified_since off;
expires -1;

include {{ env "APP_ROOT" }}/includes/security.conf;
}

location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=2628000"; # 1 month
## Security
## Always HTTPS
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always; # 1 year
## Don't open in Iframe
add_header X-Frame-Options "DENY" always;
## No content type autodiscovery
add_header X-Content-Type-Options "nosniff" always;
## Don't disclose full url when navigating to links
add_header Referrer-Policy "strict-origin" always;
## New Header for features
## https://www.w3.org/TR/permissions-policy-1/
add_header Permissions-Policy "microphone=(); geolocation=(self); camera=()" always;
## CSP
## TODO: WHEN GOING PROD CHANGE TO Content-Security-Policy
add_header Content-Security-Policy-Report-Only "default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; script-src 'self'; script-src-elem 'self'; base-uri 'self'; img-src https://* 'self' data:; trusted-types angular; require-trusted-types-for 'script'" always;

include {{ env "APP_ROOT" }}/includes/security.conf;
}

# TODO: Should we cache JSON files in assets?
location ~* \.(?:jpg|jpeg|gif|png|ico|xml|webp|json)$ {
location ~* \.(?:jpg|jpeg|gif|png|ico|xml|webp|svg)$ {
add_header Cache-Control "public, max-age=86400"; # 1 day
## Security
## Always HTTPS
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always; # 1 year
## Don't open in Iframe
add_header X-Frame-Options "DENY" always;
## No content type autodiscovery
add_header X-Content-Type-Options "nosniff" always;
## Don't disclose full url when navigating to links
add_header Referrer-Policy "strict-origin" always;
## New Header for features
## https://www.w3.org/TR/permissions-policy-1/
add_header Permissions-Policy "microphone=(); geolocation=(self); camera=()" always;
## CSP
## TODO: WHEN GOING PROD CHANGE TO Content-Security-Policy
add_header Content-Security-Policy-Report-Only "default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; script-src 'self'; script-src-elem 'self'; base-uri 'self'; img-src https://* 'self' data:; trusted-types angular; require-trusted-types-for 'script'" always;

include {{ env "APP_ROOT" }}/includes/security.conf;
}

location ~* \.(?:eot|woff|woff2|ttf|svg|otf) {
location ~* \.(?:eot|woff|woff2|ttf|otf) {
add_header Cache-Control "public, max-age=2628000"; # 1 month

# TODO: Allow CORS requests for fonts?
Expand All @@ -50,19 +33,5 @@ location ~* \.(?:eot|woff|woff2|ttf|svg|otf) {
types {font/x-woff woff2;}
types {image/svg+xml svg svgz;}

## Security
## Always HTTPS
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always; # 1 year
## Don't open in Iframe
add_header X-Frame-Options "DENY" always;
## No content type autodiscovery
add_header X-Content-Type-Options "nosniff" always;
## Don't disclose full url when navigating to links
add_header Referrer-Policy "strict-origin" always;
## New Header for features
## https://www.w3.org/TR/permissions-policy-1/
add_header Permissions-Policy "microphone=(); geolocation=(self); camera=()" always;
## CSP
## TODO: WHEN GOING PROD CHANGE TO Content-Security-Policy
add_header Content-Security-Policy-Report-Only "default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; script-src 'self'; script-src-elem 'self'; base-uri 'self'; img-src https://* 'self' data:; trusted-types angular; require-trusted-types-for 'script'" always;
include {{ env "APP_ROOT" }}/includes/security.conf;
}
17 changes: 2 additions & 15 deletions includes/root.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,5 @@ add_header Pragma "no-cache";
etag off;
if_modified_since off;
expires -1;
## Security
## Always HTTPS
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always; # 1 year
## Don't open in Iframe
add_header X-Frame-Options "DENY" always;
## No content type autodiscovery
add_header X-Content-Type-Options "nosniff" always;
## Don't disclose full url when navigating to links
add_header Referrer-Policy "strict-origin" always;
## New Header for features
## https://www.w3.org/TR/permissions-policy-1/
add_header Permissions-Policy "microphone=(); geolocation=(self); camera=()" always;
## CSP
## TODO: WHEN GOING PROD CHANGE TO Content-Security-Policy
add_header Content-Security-Policy-Report-Only "default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; font-src fonts.gstatic.com *.fontawesome.com; script-src 'self'; script-src-elem 'self'; base-uri 'self'; img-src https://* 'self' data:; trusted-types angular; require-trusted-types-for 'script'" always;

include {{ env "APP_ROOT" }}/includes/security.conf;
15 changes: 15 additions & 0 deletions includes/security.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
## Security
## Always HTTPS
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always; # 1 year
## Don't open in Iframe
add_header X-Frame-Options "DENY" always;
## No content type autodiscovery
add_header X-Content-Type-Options "nosniff" always;
## Don't disclose full url when navigating to links
add_header Referrer-Policy "strict-origin" always;
## New Header for features
## https://www.w3.org/TR/permissions-policy-1/
add_header Permissions-Policy "microphone=(); geolocation=(self); camera=()" always;
## CSP
## TODO: WHEN GOING PROD CHANGE TO Content-Security-Policy
add_header Content-Security-Policy-Report-Only "default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; font-src fonts.gstatic.com *.fontawesome.com; script-src 'self'; script-src-elem 'self'; base-uri 'self'; img-src https://* 'self' data:; trusted-types angular; require-trusted-types-for 'script'" always;

0 comments on commit f8146dd

Please sign in to comment.