Some clickjacking protections

author Silvio Rhatto <rhatto@riseup.net>

Thu, 24 Jan 2019 17:04:39 +0000 (15:04 -0200)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 24 Jan 2019 17:04:39 +0000 (15:04 -0200)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 24 Jan 2019 17:04:39 +0000 (15:04 -0200)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 24 Jan 2019 17:04:39 +0000 (15:04 -0200)
diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb

index a370bc727f69d9fa9efadec7f0c2ab708ac2ce7b..5b9ce040bf3fd1151aad6639c55948bc94bc9bfd 100644 (file)
--- a/templates/site-ssl.erb
+++ b/templates/site-ssl.erb
@@ -12,6 +12,11 @@ server {
    # enable HSTS header
    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
  
+  # clickjacking protection
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Frame-Options DENY;
+
    location / {
      # preserve http header and set forwarded proto
      proxy_set_header Host $http_host;
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 24 Jan 2019 17:04:39 +0000 (15:04 -0200)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 24 Jan 2019 17:04:39 +0000 (15:04 -0200)