Greg/Coffee_Windsurf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: enhance and align security headers in nginx config and HTML meta tags

Browse Source
This commit is contained in:
Greg 2025-07-18 21:14:57 +02:00
parent 83ef23aeb2
commit 609bb75340
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
coolify-manual-nginx.conf
View File

@ -3,14 +3,14 @@
# This replaces the entire server block content
server {
# Security Headers
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
# Enhanced Security Headers - Matching HTML meta tags
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.bunny.net; font-src 'self' https://fonts.bunny.net; connect-src 'self'; script-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self';" always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
# Hide nginx version
server_tokens off;

2
index.html
View File

@ -7,7 +7,9 @@
<meta http-equiv="X-Frame-Options" content="DENY">
<meta http-equiv="X-XSS-Protection" content="1; mode=block">
<meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin">
<meta http-equiv="Strict-Transport-Security" content="max-age=31536000; includeSubDomains; preload">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.bunny.net; font-src 'self' https://fonts.bunny.net; connect-src 'self'; script-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self';">
<meta http-equiv="X-Permitted-Cross-Domain-Policies" content="none">
<title>Chemex Pour-Over Guide</title>
<link rel="stylesheet" href="style.css">
<link rel="preconnect" href="https://fonts.bunny.net">