ISTI-ansible-roles
/
ansible-role-nginx
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Better handling of the security headers.

This commit is contained in:
Andrea Dell'Amico 2021-07-28 17:37:54 +02:00
parent baacf6b924
commit c0082ac433
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
defaults/main.yml
View File

@ -93,7 +93,11 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT
nginx_set_xss_protection: False nginx_set_xss_protection: False
nginx_set_content_security_options: False nginx_set_content_security_options: False
# Choiches: 'self', 'none', a list of domains # Choiches: 'self', 'none', a list of domains
nginx_content_security_acl: nginx_content_security_src_acl:
- "'self'"
# - "'none'"
# - '{{ ansible_domain }}'
nginx_content_security_ancestor_acl:
- "'self'" - "'self'"
# - "'none'" # - "'none'"
# - '{{ ansible_domain }}' # - '{{ ansible_domain }}'

6
templates/nginx-virthost.j2
View File

@ -45,6 +45,7 @@ server {
{% endif %} {% endif %}
{% if nginx_set_xss_protection %} {% if nginx_set_xss_protection %}
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "1; mode=block;"; add_header X-XSS-Protection "1; mode=block;";
{% endif %} {% endif %}
{% if nginx_set_frame_origin %} {% if nginx_set_frame_origin %}
@ -52,7 +53,8 @@ server {
add_header X-Frame-Options "{{ nginx_x_frame_options }}"; add_header X-Frame-Options "{{ nginx_x_frame_options }}";
{% endif %} {% endif %}
{% if nginx_set_content_security_options %} {% if nginx_set_content_security_options %}
add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};"; proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ l }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
{% endif %} {% endif %}
server_tokens {{ item.server_tokens | default('off') }}; server_tokens {{ item.server_tokens | default('off') }};
@ -260,6 +262,7 @@ server {
include /etc/nginx/snippets/nginx-server-ssl.conf; include /etc/nginx/snippets/nginx-server-ssl.conf;
{% if nginx_set_xss_protection %} {% if nginx_set_xss_protection %}
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "1; mode=block;"; add_header X-XSS-Protection "1; mode=block;";
{% endif %} {% endif %}
{% if nginx_set_frame_origin %} {% if nginx_set_frame_origin %}
@ -267,6 +270,7 @@ server {
add_header X-Frame-Options "{{ nginx_x_frame_options }}"; add_header X-Frame-Options "{{ nginx_x_frame_options }}";
{% endif %} {% endif %}
{% if nginx_set_content_security_options %} {% if nginx_set_content_security_options %}
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};"; add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
{% endif %} {% endif %}
server_tokens {{ item.server_tokens | default('off') }}; server_tokens {{ item.server_tokens | default('off') }};