From 4ea152bf513f60d32e8003da27b11a2a5cc23b4f Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 24 Jan 2015 13:05:42 +0300
Subject: [PATCH] roles/nginx: Add HTTP headers for web application security

See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/nginx/files/extra-security.conf | 17 +++++++++++++++++
 roles/nginx/tasks/main.yml            |  3 ++-
 roles/nginx/templates/vhost.conf.j2   |  2 ++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 roles/nginx/files/extra-security.conf

diff --git a/roles/nginx/files/extra-security.conf b/roles/nginx/files/extra-security.conf
new file mode 100644
index 0000000..dcc5fba
--- /dev/null
+++ b/roles/nginx/files/extra-security.conf
@@ -0,0 +1,17 @@
+# The X-Frame-Options header indicates whether a browser should be allowed
+# to render a page within a frame or iframe.
+add_header X-Frame-Options SAMEORIGIN;
+ 
+# MIME type sniffing security protection
+#	There are very few edge cases where you wouldn't want this enabled.
+add_header X-Content-Type-Options nosniff;
+ 
+# The X-XSS-Protection header is used by Internet Explorer version 8+
+# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
+add_header X-XSS-Protection "1; mode=block";
+ 
+# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
+# you can tell the browser that it can only download content from the domains you explicitly allow
+# CSP can be quite difficult to configure, and cause real issues if you get it wrong
+# There is website that helps you generate a policy here http://cspisawesome.com/
+# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 177ac0f..416d3b7 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -11,9 +11,10 @@
   apt: pkg=nginx update_cache=yes state=latest
   tags: nginx
 
-- name: Copy nginx config
+- name: Copy nginx configs
   copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
   with_items:
+    - extra-security.conf
     - nginx.conf
   notify:
     - reload nginx
diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2
index 6d9fcc1..ee4e6a3 100644
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -60,4 +60,6 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
     }
+
+    include extra-security.conf;
 }