From 4512436f1d88bd99558fe5f8384b37aa62562480 Mon Sep 17 00:00:00 2001
From: Daniel Schosser <daniel.schosser@gmail.com>
Date: Thu, 14 May 2020 09:33:09 +0200
Subject: [PATCH] fix: add security headers to Docker nginx config (#1244)

* Add security headers to nginx config

Increase the security of the nginx server and the served page, by adding the following security headers to the nginx config:
- X-Frame-Options (Disables click jacking by disallowing the page to be run in a frame/iframe)
- X-XSS-Protection (Enables cross site scripting filtering)
- X-Content-Type-Options (Disables MIME sniffing and forces browser to use the type given in Content-Type.)
- Content-Security-Policy (Controls resources the user agent is allowed to load for a given page.)
- Referrer-Policy (Governs which referrer information sent in the Referer header should be included with requests made.)

Additional headers that could be added optionally:
- Strict-Transport-Security (Enforce HTTPS over HTTP)
---
 config/docker/nginx.conf | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/config/docker/nginx.conf b/config/docker/nginx.conf
index bb79f9ce3c..9c529346dc 100644
--- a/config/docker/nginx.conf
+++ b/config/docker/nginx.conf
@@ -21,6 +21,13 @@ http {
       alias            /usr/share/nginx/html/;
 
       if ($request_method = 'OPTIONS') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           #
@@ -36,11 +43,25 @@ http {
           return 204;
       }
       if ($request_method = 'POST') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
       }
       if ($request_method = 'GET') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';