fix: add security headers to Docker nginx config (#1244)

* Add security headers to nginx config Increase the security of the nginx server and the served page, by adding the following security headers to the nginx config: - X-Frame-Options (Disables click jacking by disallowing the page to be run in a frame/iframe) - X-XSS-Protection (Enables cross site scripting filtering) - X-Content-Type-Options (Disables MIME sniffing and forces browser to use the type given in Content-Type.) - Content-Security-Policy (Controls resources the user agent is allowed to load for a given page.) - Referrer-Policy (Governs which referrer information sent in the Referer header should be included with requests made.) Additional headers that could be added optionally: - Strict-Transport-Security (Enforce HTTPS over HTTP)
Redocly · May 14, 2020 · 4512436 · 4512436
1 parent 05e0a3f
commit 4512436
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/config/docker/nginx.conf b/config/docker/nginx.conf
@@ -21,6 +21,13 @@ http {
       alias            /usr/share/nginx/html/;
 
       if ($request_method = 'OPTIONS') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           #
@@ -36,11 +43,25 @@ http {
           return 204;
       }
       if ($request_method = 'POST') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
       }
       if ($request_method = 'GET') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';