set security headers on error responses too

This commit is contained in:
Daniel Micay 2021-06-18 20:22:34 -04:00
parent 444ad1a982
commit d4e4cca682

View File

@ -90,9 +90,9 @@ http {
include snippets/security-headers.conf; include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content"; add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none' # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
add_header X-Frame-Options "DENY"; add_header X-Frame-Options "DENY" always;
location = / { location = / {
return 301 https://grapheneos.org/articles/grapheneos-servers#matrix.grapheneos.org; return 301 https://grapheneos.org/articles/grapheneos-servers#matrix.grapheneos.org;
@ -103,9 +103,9 @@ http {
proxy_hide_header X-Frame-Options; proxy_hide_header X-Frame-Options;
include snippets/security-headers.conf; include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "cross-origin" always; add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content"; add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none' # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
add_header X-Frame-Options "DENY"; add_header X-Frame-Options "DENY" always;
add_header X-Robots-Tag "none"; add_header X-Robots-Tag "none";
proxy_pass http://backend; proxy_pass http://backend;
@ -132,9 +132,9 @@ http {
include snippets/security-headers.conf; include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content"; add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'self' # obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Robots-Tag "none"; add_header X-Robots-Tag "none";
} }