diff --git a/defaults/main.yml b/defaults/main.yml index bc499cb..c62f0c2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -93,7 +93,11 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT nginx_set_xss_protection: False nginx_set_content_security_options: False # Choiches: 'self', 'none', a list of domains -nginx_content_security_acl: +nginx_content_security_src_acl: + - "'self'" +# - "'none'" +# - '{{ ansible_domain }}' +nginx_content_security_ancestor_acl: - "'self'" # - "'none'" # - '{{ ansible_domain }}' diff --git a/templates/nginx-virthost.j2 b/templates/nginx-virthost.j2 index e66cb54..d3e37dd 100644 --- a/templates/nginx-virthost.j2 +++ b/templates/nginx-virthost.j2 @@ -45,6 +45,7 @@ server { {% endif %} {% if nginx_set_xss_protection %} + proxy_hide_header X-XSS-Protection; add_header X-XSS-Protection "1; mode=block;"; {% endif %} {% if nginx_set_frame_origin %} @@ -52,7 +53,8 @@ server { add_header X-Frame-Options "{{ nginx_x_frame_options }}"; {% endif %} {% if nginx_set_content_security_options %} - add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};"; + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ l }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};"; {% endif %} server_tokens {{ item.server_tokens | default('off') }}; @@ -260,6 +262,7 @@ server { include /etc/nginx/snippets/nginx-server-ssl.conf; {% if nginx_set_xss_protection %} + proxy_hide_header X-XSS-Protection; add_header X-XSS-Protection "1; mode=block;"; {% endif %} {% if nginx_set_frame_origin %} @@ -267,6 +270,7 @@ server { add_header X-Frame-Options "{{ nginx_x_frame_options }}"; {% endif %} {% if nginx_set_content_security_options %} + proxy_hide_header Content-Security-Policy; add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};"; {% endif %} server_tokens {{ item.server_tokens | default('off') }};