mirror of
https://github.com/bitwarden/server.git
synced 2024-11-24 12:35:25 +01:00
include security headers
This commit is contained in:
parent
566471cae8
commit
aeca706302
@ -10,6 +10,8 @@ RUN apt-get update \
|
||||
COPY nginx.conf /etc/nginx
|
||||
COPY proxy.conf /etc/nginx
|
||||
COPY mime.types /etc/nginx
|
||||
COPY security-headers.conf /etc/nginx
|
||||
COPY security-headers-ssl.conf /etc/nginx
|
||||
COPY entrypoint.sh /
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
|
@ -140,6 +140,9 @@ http {
|
||||
map $uri $fido_content_type {
|
||||
default "application/fido.trusted-apps+json";
|
||||
}
|
||||
|
||||
# Security headers
|
||||
include security-headers.conf;
|
||||
|
||||
# Include files in the sites-enabled folder. server{} configuration files should be
|
||||
# placed in the sites-available folder, and then the configuration should be enabled
|
||||
|
2
util/Nginx/security-headers-ssl.conf
Normal file
2
util/Nginx/security-headers-ssl.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
4
util/Nginx/security-headers.conf
Normal file
4
util/Nginx/security-headers.conf
Normal file
@ -0,0 +1,4 @@
|
||||
add_header Referrer-Policy same-origin;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
@ -42,39 +42,46 @@ server {
|
||||
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate {{{CaPath}}};
|
||||
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
|
||||
{{/if}}
|
||||
{{/if}}
|
||||
|
||||
# Security headers
|
||||
add_header Referrer-Policy same-origin;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
{{#if Ssl}}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
|
||||
location / {
|
||||
proxy_pass http://web:5000/;
|
||||
# Security headers
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
include /etc/nginx/security-headers.conf;
|
||||
{{#if Ssl}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}";
|
||||
}
|
||||
|
||||
location = /app-id.json {
|
||||
proxy_pass http://web:5000/app-id.json;
|
||||
include /etc/nginx/security-headers.conf;
|
||||
{{#if Ssl}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
proxy_hide_header Content-Type;
|
||||
add_header Content-Type $fido_content_type;
|
||||
}
|
||||
|
||||
location = /duo-connector.html {
|
||||
proxy_pass http://web:5000/duo-connector.html;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
include /etc/nginx/security-headers.conf;
|
||||
{{#if Ssl}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
add_header X-Frame-Options "";
|
||||
}
|
||||
|
||||
location = /u2f-connector.html {
|
||||
proxy_pass http://web:5000/u2f-connector.html;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
include /etc/nginx/security-headers.conf;
|
||||
{{#if Ssl}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
add_header X-Frame-Options "";
|
||||
}
|
||||
|
||||
location /attachments/ {
|
||||
|
Loading…
Reference in New Issue
Block a user