Improved Security Headers

Signed-off-by: Tommy <contact@tommytran.io>
2024-10-01 08:25:44 -04:00 · 2022-11-18 15:23:52 -05:00 · 2022-11-18 15:23:52 -05:00 · 306823f364
commit 306823f364
parent 119d59569d
1 changed files with 2 additions and 1 deletions
--- a/swag/nginx/ssl.conf
+++ b/swag/nginx/ssl.conf
@ -38,7 +38,8 @@ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; prelo
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
 add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src https:; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
-add_header Referrer-Policy "same-origin" always;
+add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
 add_header X-Content-Type-Options "nosniff" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 add_header X-XSS-Protection "0" always;
+add_header Expect-CT "enforce, max-age=63072000";