jacksingleton
commented
9 years ago lets take a look at the headers that securedrop has set: https://github.com/freedomofpress/securedrop/blob/2a3c93cf0fa3be87cd77bc8be2ebfb9ced2fc54f/install_files/ansible-base/roles/app/templates/sites-available/source.conf
they aggressively disable caching for example. might be a good idea
we could look at porting hardening.io's nginx hardening scripts to ansible. they have chef and puppet implementations and even a test suite
Looking at the spec though, it might not be worth the trouble (although I'm sure would be useful to others if we ported it over): https://github.com/hardening-io/tests-nginx-hardening/blob/master/default/serverspec/nginx_spec.rb
Would be pretty quick to add these parameters to our nginx config
Can we find any more resources on a secure nginx setup?