From a5f8ab61829d65f5440069155debc6c95b1ecc5d Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sun, 13 Nov 2016 23:45:42 +0200 Subject: [PATCH] roles/nginx: Harden security headers Always add security headers, not just for successful HTTP response codes. See the nginx `add_header` docs. --- roles/nginx/files/extra-security.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/nginx/files/extra-security.conf b/roles/nginx/files/extra-security.conf index dcc5fba..5265138 100644 --- a/roles/nginx/files/extra-security.conf +++ b/roles/nginx/files/extra-security.conf @@ -1,17 +1,17 @@ # The X-Frame-Options header indicates whether a browser should be allowed # to render a page within a frame or iframe. -add_header X-Frame-Options SAMEORIGIN; +add_header X-Frame-Options SAMEORIGIN always; # MIME type sniffing security protection # There are very few edge cases where you wouldn't want this enabled. -add_header X-Content-Type-Options nosniff; +add_header X-Content-Type-Options nosniff always; # The X-XSS-Protection header is used by Internet Explorer version 8+ # The header instructs IE to enable its inbuilt anti-cross-site scripting filter. -add_header X-XSS-Protection "1; mode=block"; +add_header X-XSS-Protection "1; mode=block" always; # with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # CSP can be quite difficult to configure, and cause real issues if you get it wrong # There is website that helps you generate a policy here http://cspisawesome.com/ -# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;"; +# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;