From 801bc6f07dc723c89d631febaf3dbd21ecb0bdb3 Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Sun, 23 Oct 2022 10:53:09 +0200
Subject: [PATCH] Harden protection against XSS attacks

---
 modules/webstack.nix | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/modules/webstack.nix b/modules/webstack.nix
index 81ad970..72e65fd 100644
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -18,13 +18,12 @@
       add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
 
       # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame, except from the same origin
-      add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
 
       # Prevent injection of code in other mime types (XSS Attacks)
       add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Frame-Options SAMEORIGIN;
 
       # This might create errors
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";