Matrix-Mirrors
/
ArcticFoxes-Synapse-Docker-Compose
mirror of https://github.com/ArcticFoxes-net/Synapse-Docker-Compose.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix security headers

This commit is contained in:
Tommy 2023-08-15 17:15:04 -07:00 committed by GitHub
parent 9adff8c49b
commit e2eea3c59f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
swag/nginx/proxy-confs/element.subdomain.conf
View File

@ -14,6 +14,7 @@ server {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'";
client_max_body_size 0;
@ -21,8 +22,6 @@ server {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
set $upstream_app element;
set $upstream_port 80;
set $upstream_proto http;

3
swag/nginx/proxy-confs/matrix-to.subdomain.conf
View File

@ -14,6 +14,7 @@ server {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'none'; connect-src *; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self', upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'";
client_max_body_size 0;
@ -21,8 +22,6 @@ server {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src *; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self'";
set $upstream_app matrix-to;
set $upstream_port 5000;
set $upstream_proto http;

1
swag/nginx/ssl.conf
View File

@ -28,7 +28,6 @@ ssl_trusted_certificate /config/keys/cert.crt;
# Optional additional headers
#add_header Cache-Control "no-transform" always;
add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;