Added headers for a more secure default.

2018-05-06 14:19:29 +00:00 · 2018-05-06 14:19:29 +00:00 · 0a1fd8adf0
parent 1e83727fdd
commit 0a1fd8adf0
1 changed files with 10 additions and 0 deletions
--- a/installation/pleroma.nginx
+++ b/installation/pleroma.nginx
@ -59,6 +59,16 @@ server {
        }
        # stop removing lines here.

+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy same-origin;
+        add_header X-Download-Options noopen;
+        
+        # Uncomment this only after you get HTTPS working.
+        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";