From e2eea3c59f8799ad2e5b33fe68affc44db55978e Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 15 Aug 2023 17:15:04 -0700 Subject: [PATCH] Fix security headers --- swag/nginx/proxy-confs/element.subdomain.conf | 3 +-- swag/nginx/proxy-confs/matrix-to.subdomain.conf | 3 +-- swag/nginx/ssl.conf | 1 - 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/swag/nginx/proxy-confs/element.subdomain.conf b/swag/nginx/proxy-confs/element.subdomain.conf index 469527d..6135758 100644 --- a/swag/nginx/proxy-confs/element.subdomain.conf +++ b/swag/nginx/proxy-confs/element.subdomain.conf @@ -14,6 +14,7 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"; client_max_body_size 0; @@ -21,8 +22,6 @@ server { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; - add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'"; - set $upstream_app element; set $upstream_port 80; set $upstream_proto http; diff --git a/swag/nginx/proxy-confs/matrix-to.subdomain.conf b/swag/nginx/proxy-confs/matrix-to.subdomain.conf index 00b2f89..267c39b 100644 --- a/swag/nginx/proxy-confs/matrix-to.subdomain.conf +++ b/swag/nginx/proxy-confs/matrix-to.subdomain.conf @@ -14,6 +14,7 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; connect-src *; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self', upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"; client_max_body_size 0; @@ -21,8 +22,6 @@ server { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; - add_header Content-Security-Policy "default-src 'none'; connect-src *; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self'"; - set $upstream_app matrix-to; set $upstream_port 5000; set $upstream_proto http; diff --git a/swag/nginx/ssl.conf b/swag/nginx/ssl.conf index 1680d72..6f70bce 100644 --- a/swag/nginx/ssl.conf +++ b/swag/nginx/ssl.conf @@ -28,7 +28,6 @@ ssl_trusted_certificate /config/keys/cert.crt; # Optional additional headers #add_header Cache-Control "no-transform" always; -add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'"; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; add_header Referrer-Policy "same-origin" always; add_header X-Content-Type-Options "nosniff" always;