Open bwbroersma opened 10 months ago
See the issues:
Long term: cleanup the nginx file and make use of files to include default headers, so the same defaults are not repeated all over the file.
and PR's:
So:
de-duplicate all 'default' headers in separate files:
csp.header.template
add_header Content-Security-Policy "base-uri 'self' https://*.${INTERNETNL_DOMAINNAME}; form-action 'self' https://*.${INTERNETNL_DOMAINNAME}; frame-ancestors 'none'; default-src 'self' https://*.${INTERNETNL_DOMAINNAME}";
include http.headers; include hsts.header; include csp.header;
don't quote nginx header names (but it might be a style choice to discuss?), this is valid:
add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-Clacks-Overhead 'GNU Terry Pratchett' always; add_header Referrer-Policy same-origin always; add_header X-XSS-Protection '1; mode=block' always; add_header Strict-Transport-Security max-age=63072000 always;
add regex save domain names (for nginx)
fix all regex domains (#1179)
remove location regex where possible, e.g.: https://github.com/internetstandards/Internet.nl/blob/f15c239c3303e61e928a189adacf144dab7cbe25/docker/webserver/nginx_templates/app.conf.template#L145 can be simplified to location /
location /
set HSTS only in nginx (since it needs to be done in nginx, also doing it in django is an extra config)
See the issues:
and PR's:
So:
de-duplicate all 'default' headers in separate files:
csp.header.templateshould probably be:don't quote nginx header names (but it might be a style choice to discuss?), this is valid:
add regex save domain names (for nginx)
fix all regex domains (#1179)
remove location regex where possible, e.g.: https://github.com/internetstandards/Internet.nl/blob/f15c239c3303e61e928a189adacf144dab7cbe25/docker/webserver/nginx_templates/app.conf.template#L145 can be simplified to
location /set HSTS only in nginx (since it needs to be done in nginx, also doing it in django is an extra config)