From 0ccf0fbf1cbcc6a50d4dc17473e9f91b2e262ef8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 12:12:34 +0530 Subject: [PATCH] HSTS preload + X-XSS enables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **HSTS Preloading:** In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` **X-Xss-Protection:** `1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script. --- .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 3c3231f4..24d3ce5d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block";; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 038d3557..6c5eff36 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index a20d8a73..aaad23b6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index e4712657..9028e846 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}