Add security-related HTTP headers to static web site and web-app.

Adds the following headers to the static website content and the web-app responses (but doesn't modify any of the headers for API responses): - X-XSS-Protection - X-Frame-Options - X-Content-Type-Options
NREL · Dec 15, 2016 · f15ac87 · f15ac87
1 parent baa4ab6
commit f15ac87
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/templates/etc/nginx/router.conf.mustache b/templates/etc/nginx/router.conf.mustache
@@ -207,6 +207,12 @@ http {
     server_name _;
 
     root {{static_site.build_dir}};
+
+    # Security headers
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
+    more_set_headers "X-XSS-Protection: 1; mode=block";
+    more_set_headers "X-Frame-Options: DENY";
+    more_set_headers "X-Content-Type-Options: nosniff";
   }
 
   map $http_accept_encoding $normalized_accept_encoding {
@@ -266,6 +272,12 @@ http {
     set $x_api_umbrella_request_id $http_x_api_umbrella_request_id;
     root {{web.dir}}/public;
 
+    # Security headers
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
+    more_set_headers "X-XSS-Protection: 1; mode=block";
+    more_set_headers "X-Frame-Options: DENY";
+    more_set_headers "X-Content-Type-Options: nosniff";
+
     {{^_development_env?}}
     location /web-assets/ {
       alias {{_embedded_root_dir}}/apps/core/current/build/dist/web-app-assets/web-assets/;