Harden protection against XSS attacks

2022-10-23 10:53:09 +02:00 · 2022-10-23 10:53:09 +02:00 · 801bc6f07d
parent bc5c561775
commit 801bc6f07d
1 changed files with 3 additions and 4 deletions
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@ -18,13 +18,12 @@
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame, except from the same origin
-      add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Frame-Options SAMEORIGIN;

      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";