diff options
| -rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/nginx.conf | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf index 5313f508f..be7faf92f 100644 --- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf +++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf @@ -14,6 +14,8 @@ events { # Note that a lot of these settings come from the OWASP Secure # Configuration guide for nginx # https://www.owasp.org/index.php/SCG_WS_nginx +# and the OWASP Secure Headers project +# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project # and the mozilla security guidelines # https://wiki.mozilla.org/Security/Server_Side_TLS @@ -64,6 +66,8 @@ http { ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + location / { # This location lets us serve the static pre-compressed webui # content (rooted at /usr/share/www). Also if the URI points to @@ -80,6 +84,15 @@ http { gunzip on; gzip_static always; try_files $uri $uri/ @rest_server; + + add_header X-Frame-Options deny; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Cache-Control "no-store,no-cache"; + add_header Pragma "no-cache"; + add_header Expires 0; } location @rest_server { # Use 127.0.0.1 instead of localhost since nginx will |
