Add security headers

2020-04-30 22:34:20 +02:00 · 2020-04-30 22:34:20 +02:00 · 78fead89cb
commit 78fead89cb
parent 6d215742d6
2 changed files with 12 additions and 1 deletions
--- a/frontend/nuxt.config.js
+++ b/frontend/nuxt.config.js
@ -120,6 +120,7 @@ export default {
     ** Build configuration
     */
    build: {
+        extractCSS: true,
        /*
         ** You can extend webpack config here
         */
--- a/nginx/server.conf
+++ b/nginx/server.conf
@ -24,6 +24,17 @@ server {
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        # FIXME disable inlines in webpack
+        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://cdn.jsdelivr.net;";
+
+        add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "DENY" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "origin" always;
    }

    error_page   500 502 503 504  /50x.html;
@ -37,4 +48,3 @@ server {
    }

 }
-