trikaratech
commented
3 months ago Open trikaratech opened 3 months ago
trikaratech
commented
3 months ago trikaratech
commented
3 months ago To solve this, the following section has to be included in the nginx config file of the concerned site.
# Add security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://use.fontawesome.com https://cdn.jsdelivr.net https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com https://use.fontawesome.com; connect-src 'self' https://backend-new.apisecurityengine.com;" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header Permissions-Policy "geolocation=(self), microphone=(), camera=()" always;Attached is the example file used for the site appnew.apisecurityengine.com. nginx_config.txt
trikaratech
commented
3 months ago