133 lines
4.8 KiB
Plaintext
133 lines
4.8 KiB
Plaintext
# read more here http://tautt.com/best-nginx-configuration-for-security/
|
|
|
|
# add_header Server "mystartup/1.0" always;
|
|
# config to don't allow the browser to render the page inside an frame or iframe
|
|
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
|
|
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
|
|
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
|
|
# to disable content-type sniffing on some browsers.
|
|
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
|
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
|
|
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
|
|
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
|
|
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
|
|
# this particular website if it was disabled by the user.
|
|
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
|
|
# you can tell the browser that it can only download content from the domains you explicitly allow
|
|
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
|
|
# https://www.owasp.org/index.php/Content_Security_Policy
|
|
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
|
|
# directives for css and js(if you have inline css or js, you will need to keep it too).
|
|
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
|
|
# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
|
|
# add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
|
|
|
|
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
sendfile on;
|
|
|
|
default_type application/octet-stream;
|
|
# more_clear_headers Server;
|
|
# more_set_headers 'Server: Powered by Yondu';
|
|
# don't send the nginx version number in error pages and Server header
|
|
server_tokens off;
|
|
|
|
|
|
|
|
gzip on;
|
|
gzip_http_version 1.1;
|
|
gzip_disable "MSIE [1-6]\.";
|
|
gzip_min_length 256;
|
|
gzip_vary on;
|
|
gzip_proxied expired no-cache no-store private auth;
|
|
gzip_types
|
|
application/atom+xml
|
|
application/javascript
|
|
application/json
|
|
application/ld+json
|
|
application/manifest+json
|
|
application/rss+xml
|
|
application/vnd.geo+json
|
|
application/vnd.ms-fontobject
|
|
application/x-font-ttf
|
|
application/x-web-app-manifest+json
|
|
application/xhtml+xml
|
|
application/xml
|
|
font/opentype
|
|
image/bmp
|
|
image/svg+xml
|
|
image/x-icon
|
|
text/cache-manifest
|
|
text/css
|
|
text/plain
|
|
text/vcard
|
|
text/vnd.rim.location.xloc
|
|
text/vtt
|
|
text/x-component
|
|
text/x-cross-domain-policy;
|
|
# text/html is always compressed by gzip module
|
|
gzip_comp_level 9;
|
|
server_name *.example.org;
|
|
root /usr/share/nginx/html;
|
|
|
|
# . files
|
|
location ~ /\. {
|
|
deny all;
|
|
}
|
|
# cache.appcache, your document html and data
|
|
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
|
expires -1;
|
|
# access_log logs/static.log; # I don't usually include a static log
|
|
|
|
|
|
}
|
|
|
|
|
|
# Media: images, icons, video, audio, HTC
|
|
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
|
expires 1M;
|
|
access_log off;
|
|
|
|
}
|
|
|
|
# location ~* (service-worker\.js)$ {
|
|
# add_header Cache-Control no-store, no-cache;
|
|
# expires -1;
|
|
# proxy_no_cache 1;
|
|
|
|
# }
|
|
|
|
# CSS and Javascript
|
|
location ~* /static/.*\.(?:css|js)$ {
|
|
expires 1y;
|
|
access_log off;
|
|
|
|
}
|
|
|
|
|
|
# location /service-worker.js {
|
|
# expires -1;
|
|
# add_header Cache-Control no-store, no-cache;
|
|
# access_log off;
|
|
# }
|
|
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
|
|
} |