Better handling of the security headers.

This commit is contained in:
Andrea Dell'Amico 2021-07-28 17:37:54 +02:00
parent baacf6b924
commit c0082ac433
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
2 changed files with 10 additions and 2 deletions

View File

@ -93,7 +93,11 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT
nginx_set_xss_protection: False
nginx_set_content_security_options: False
# Choiches: 'self', 'none', a list of domains
nginx_content_security_acl:
nginx_content_security_src_acl:
- "'self'"
# - "'none'"
# - '{{ ansible_domain }}'
nginx_content_security_ancestor_acl:
- "'self'"
# - "'none'"
# - '{{ ansible_domain }}'

View File

@ -45,6 +45,7 @@ server {
{% endif %}
{% if nginx_set_xss_protection %}
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "1; mode=block;";
{% endif %}
{% if nginx_set_frame_origin %}
@ -52,7 +53,8 @@ server {
add_header X-Frame-Options "{{ nginx_x_frame_options }}";
{% endif %}
{% if nginx_set_content_security_options %}
add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ l }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
@ -260,6 +262,7 @@ server {
include /etc/nginx/snippets/nginx-server-ssl.conf;
{% if nginx_set_xss_protection %}
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "1; mode=block;";
{% endif %}
{% if nginx_set_frame_origin %}
@ -267,6 +270,7 @@ server {
add_header X-Frame-Options "{{ nginx_x_frame_options }}";
{% endif %}
{% if nginx_set_content_security_options %}
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};