roles/nginx: Harden security headers

Always add security headers, not just for successful HTTP response codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00 · 2016-11-13 23:45:42 +02:00 · a5f8ab6182
commit a5f8ab6182
parent 99caf49a90
1 changed files with 4 additions and 4 deletions
--- a/roles/nginx/files/extra-security.conf
+++ b/roles/nginx/files/extra-security.conf
@ -1,17 +1,17 @@
 # The X-Frame-Options header indicates whether a browser should be allowed
 # to render a page within a frame or iframe.
-add_header X-Frame-Options SAMEORIGIN;
+add_header X-Frame-Options SAMEORIGIN always;
 
 # MIME type sniffing security protection
 #	There are very few edge cases where you wouldn't want this enabled.
-add_header X-Content-Type-Options nosniff;
+add_header X-Content-Type-Options nosniff always;
 
 # The X-XSS-Protection header is used by Internet Explorer version 8+
 # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
-add_header X-XSS-Protection "1; mode=block";
+add_header X-XSS-Protection "1; mode=block" always;
 
 # with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
 # you can tell the browser that it can only download content from the domains you explicitly allow
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/
-# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
+# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;