nginx.conf: set security-related response headers - Githubissues

macbre / docker-nginx-http3

Stable and up-to-date root-less nginx with quic + http/3, google brotli compression, njs, GeoIP2, and Grade A+ SSL config

https://hub.docker.com/r/macbre/nginx-http3

161 stars 53 forks source link

nginx.conf: set security-related response headers #65

Closed macbre closed 2 years ago

macbre commented 2 years ago

Inspired by https://github.com/bunkerity/bunkerized-nginx/blob/33e0ffd5b1058fb6e702110f9240dd4703e075a3/misc/variables.env#L106 (resolves #63)

Headers set by default

$ curl 0:8888 -I
HTTP/1.1 200 OK
(...)
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';
(...)