From be23baa816f68939ef599860dd37072fd4116be5 Mon Sep 17 00:00:00 2001 From: "dobby-yivi-agent[bot]" <275734547+dobby-yivi-agent[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 19:59:50 +0000 Subject: [PATCH] security: add baseline security headers to nginx config Adds Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and a minimal frame-ancestors Content-Security-Policy to the server block. Headers are repeated in the cache-control and /health locations because nginx add_header inheritance is replace-not-merge per location. Closes #74 --- nginx.conf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nginx.conf b/nginx.conf index 5e50b25..fb848c9 100644 --- a/nginx.conf +++ b/nginx.conf @@ -4,9 +4,20 @@ server { root /usr/share/nginx/html; index index.html; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "DENY" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "frame-ancestors 'none'" always; + location /health { return 200 "healthy\n"; add_header Content-Type text/plain; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "DENY" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "frame-ancestors 'none'" always; } location / { @@ -17,6 +28,11 @@ server { location ~* \.(js|css|woff2?|ttf|svg|png|jpg|ico)$ { expires 1y; add_header Cache-Control "public, immutable"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "DENY" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "frame-ancestors 'none'" always; } gzip on;